Android

A new Android malware campaign spreading the latest version of GravityRAT has been underway since August 2022, infecting mobile devices with a trojanized chat app named ‘BingeChat,’ which attempts to steal data from victims’ devices.

According to ESET’s researcher Lukas Stefanko, who analyzed a sample after receiving a tip from MalwareHunterTeam, one of the notable new additions spotted in the latest version of GravityRAT is stealing WhatsApp backup files.

WhatsApp backups are created to help users port their message history, media files, and data onto new devices, so they can contain sensitive data such as text, video, photos, documents, and more, all in unencrypted form.

GravityRAT has been active since at least 2015 but started targeting Android for the first time in 2020. Its operators, ‘SpaceCobra,’ use the spyware exclusively and in narrow targeting operations.

Current Android campaign

The spyware is spread under the name ‘BingeChat,’ supposedly an end-to-end encrypted chat app with a simple interface yet advanced features.

Website spreading GravityRAT
Website spreading GravityRAT (BleepingComputer)

ESET says the app is delivered through “bingechat[.]net” and possibly other domains or distribution channels, but the download is invite-based, requiring visitors to enter valid credentials or register a new account.

While registrations are currently closed, this method allows them only to distribute the malicious apps to targeted people. It also makes it harder for researchers to access a copy for analysis.

Promoting malicious Android APKs to targets is a tactic GravityRAT’s operators employed again in 2021, using a chat app called ‘SoSafe,’ and, before that, another one named ‘Travel Mate Pro.’

Stefanko has found that the app is a trojanized version of OMEMO IM, a legitimate open-source instant messenger app for Android.

Upon digging further, ESET’s analyst found that SpaceCobra had used OMEMO IM as a basis for another fake app named “Chatico,” which was distributed to targets in the summer of 2022 via the now-offline “chatico.co[.]uk.”

Generic operational diagram
Generic operational diagram (ESET)

GravityRAT capabilities

BingeChat requests risky permissions upon its installation on the target’s device, including access to contacts, location, phone, SMS, storage, call logs, camera, and microphone.

These are standard permissions for instant messaging apps, so they are unlikely to raise suspicions or appear abnormal to the victim.

Before the user registers in BingeChat, the app sends call logs, contact lists, SMS messages, device location, and basic device information to the threat actor’s command and control (C2) server.

Additionally, media and document files of jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32 types, are also stolen.

The crypt file extensions correspond to the WhatsApp Messenger backups mentioned previously.

Data exfiltration from the victim's device
Data exfiltration from the victim’s device (ESET)

Another notable new feature of GravityRAT is its ability to receive three commands from the C2, namely “delete all files” (of a specified extension), “delete all contacts,” and “delete all call logs.”

While SpaceCobra’s campaigns are highly targeted and usually focus on India, all Android users should avoid downloading APKs from outside Google Play and be cautious with risky permission requests while installing any app.

Source: www.bleepingcomputer.com