A recent surge in Android malware activity has unveiled a fresh wave of GravityRAT attacks. Since August 2022, mobile devices have been infected with a trojanized chat application called ‘BingeChat,’ which is part of the latest version of GravityRAT. The primary objective of this malware campaign is to steal valuable data from the victim’s devices, particularly WhatsApp backup files. Researchers at ESET, led by Lukas Stefanko, have been investigating this malware after receiving a tip from the MalwareHunterTeam.
The Evolution of GravityRAT
GravityRAT, a notorious malware, has been active since 2015. However, it wasn’t until 2020 that it started targeting Android devices. The malware’s operators, known as ‘SpaceCobra,’ exclusively employ this spyware for their narrow and highly targeted operations. One of the significant updates in the latest version of GravityRAT is its ability to pilfer WhatsApp backup files. It contains unencrypted sensitive data such as text, photos, videos, and documents.
The Current Android Campaign
This spyware is masquerading as an end-to-end encrypted chat application called ‘BingeChat.’ Despite its seemingly simple interface, BingeChat boasts advanced features to entice unsuspecting users. ESET researchers have discovered that the malicious app is distributed through a domain named “bingechat[.]net,” although it may also be disseminated through other domains or distribution channels. It’s important to note that the download process is invite-based, requiring users to provide valid credentials or create a new account. The closed registration system enables the attackers to specifically target individuals while making it difficult for researchers to obtain a copy of the app for analysis.
The operators of GravityRAT have previously employed a similar tactic, promoting malicious Android APKs to their targets. In 2021, they used a chat app called ‘SoSafe,’ and before that, another app named ‘Travel Mate Pro.’ Lukas Stefanko discovered that the trojanized version of the legitimate open-source instant messenger app for Android, OMEMO IM, was the basis for the fake app named “Chatico.” The attackers distributed this app to targets in the summer of 2022 via the now-offline domain “chatico.co[.]uk.”
Upon installation of BingeChat on a victim’s device, the app requests a range of permissions, including access to contacts, location, phone, SMS, storage, call logs, camera, and microphone. These permissions are standard for instant messaging apps and are unlikely to raise suspicions or appear abnormal to the victim. Before the user completes the registration process in BingeChat, the app secretly sends call logs, contact lists, SMS messages, device location, and basic device information to the threat actor’s command and control (C2) server.
Moreover, the malware steals media and document files of various formats, such as jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, XML, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32. The crypt file extensions specifically correspond to the WhatsApp Messenger backups mentioned earlier. Another concerning feature of the new version of GravityRAT is its capability to receive three commands from the C2 server: “delete all files” (of a specified extension), “delete all contacts,” and “delete all call logs.”
Protection and Vigilance against GravityRAT Malware
While SpaceCobra’s campaigns typically target users in India, all Android users must exercise caution and take necessary precautions. As a precaution against GravityRAT or similar malware, it is recommended to refrain from downloading APKs from unofficial sites. Stick to trusted and reputable app stores to ensure your device’s and personal data’s safety.
Furthermore, users should be wary of granting excessive or unnecessary permissions when installing any application. In the case of BingeChat, the requested permissions may seem ordinary for an instant messaging app, making it difficult for users to recognize suspicious behavior. However, reviewing and evaluating the permissions requested by any app before granting them is essential.
Regularly updating your device’s operating system and security software is also crucial. Developers frequently release updates to address vulnerabilities and patch security loopholes. By keeping your device and apps up to date, you can stay one step ahead of potential threats.
Recap: GravityRAT Malware
The ongoing Android malware campaign utilizing GravityRAT’s latest version poses a significant risk to users’ WhatsApp backups and sensitive data. With its ability to steal files and execute commands remotely, the malware can potentially cause severe damage to victims’ privacy.
To safeguard against such threats, Android users must remain vigilant. Users must exercise caution while downloading apps, and pay close attention to permissions requested during installation. By following best practices, such as sticking to official app stores, users can protect themselves from mobile malware.