GravityRAT Android Trojan Steals WhatsApp Backup and Deletes Files
The latest version of Android remote access trojan dubbed GravityRAT has been found impersonating messaging apps BingeChat and Chatico as part of a narrowly targeted campaign since June 2022.
“Notable in a newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive prompts to delete files,” ESET researcher Lukáš Štefanko said in a new report published today.
“The rogue app also provides legitimate chat functionality based on open source OMEMO Instant Messenger app.”
GravityRAT is the name given to cross-platform malware capable of targeting Windows, Android, and macOS devices. The Slovak cybersecurity firm is tracking the activity under the name SpaceCobra.
The alleged threat actor is based in Pakistan, with the recent attack involving GravityRAT targeting military personnel in India and among the Pakistan Air Force by disguising it as a cloud storage and entertainment app, as revealed by Meta last month.
The use of chat apps as lures to distribute malware was previously highlighted in November 2021 by Cyble, who analyzed sample named “SoSafe Chat” uploaded to VirusTotal database from India.
The chat app, although not available on Google Play, is distributed through malicious websites promoting free messaging services: bingechat(.)net and chatico(.)co(.)uk.
“These groups use fictional personas — impersonating recruiters for legitimate and fake government and defense companies, military personnel, journalists, and women seeking romantic relationships — in an effort to build trust with the people they target,” said Meta in the Enemy Threat Report. Quarterly.
The modus operandi indicates that potential targets are contacted on Facebook and Instagram with the aim of tricking them into clicking on links and downloading malicious apps.
GravityRAT, like most Android backdoors, requests intrusive permissions under the clothing of apparently legitimate apps to harvest sensitive information such as contacts, SMS, call logs, files, location data, and audio recordings without the victim’s knowledge.
The fetched data is finally extracted to a remote server under the control of the threat actor. It should be noted that using this application is conditional on having an account.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
What makes the new version of GravityRAT stand out is its ability to steal WhatsApp backup files and receive instructions from a command-and-control (C2) server to delete call logs, contact lists, and files with certain extensions.
“This is a very specific command that is not normally seen in Android malware,” said Štefanko.
The development comes as Android users in Vietnam have fallen victim to a new type of banking-stealing malware known as Hello teacher who use official messaging apps like Viber or Kik as a cover to siphon sensitive data and perform unauthorized fund transfers by abusing accessibility service APIs.
Also uncovered by Cyble is a cloud mining scam that “prompts users to download a malicious app to initiate mining,” only to leverage its permissions to accessibility services to collect sensitive information from cryptocurrency wallets and banking apps.
The financial trojan, codenamed Roamer, exemplifies the trend of using phishing websites and Telegram channels as distribution vectors, thereby effectively expanding the pool of potential victims.
“Users should be careful and refrain from following suspicious cryptocurrency mining channels on platforms such as Telegram, as these channels can cause large financial losses and put sensitive personal data at risk,” Cyble said.
