ESET researchers have recently analyzed an updated version of the Android GravityRAT spyware. This particular version of GravityRAT is being distributed under the names BingeChat and Chatico, which are messaging apps. GravityRAT is a remote access tool that has been used since at least 2015 and has previously been used in targeted attacks against India. It is available in versions for Windows, Android, and macOS.
The group behind GravityRAT, which ESET researchers internally refer to as SpaceCobra, remains unknown. The BingeChat campaign, which started in August 2022, is still ongoing, but the campaign using Chatico is no longer active.
BingeChat is distributed through a website that advertises it as a free messaging service. However, the malicious app also has the capability to exfiltrate WhatsApp backup files and receive commands to delete files. It is worth noting that the app also provides legitimate chat functionality based on the open-source OMEMO Instant Messenger app.
ESET researchers were alerted to this campaign by MalwareHunterTeam, who shared the hash for a GravityRAT sample. The malicious BingeChat app claims to provide messaging functionality and is available for download from the bingechat[.]net website. However, the website requires visitors to log in, and registrations were closed during the time of analysis. This suggests that potential victims are highly targeted, and the app is not widely distributed.
Although ESET researchers couldn’t download the BingeChat app from the website, they found a URL on VirusTotal that contains the malicious BingeChat app. This app has the same hash as the one mentioned in the tweet, indicating that the URL serves as a distribution point for this specific GravityRAT sample.
The malicious app is a trojanized version of the legitimate open-source OMEMO Instant Messenger Android app but is branded as BingeChat. The HTML code of the malicious website suggests that it was copied from a legitimate website that provides WordPress themes for download.
The campaign using BingeChat is likely to be narrowly targeted, as ESET telemetry data has not recorded any victims of this campaign. However, there was one detection of another Android GravityRAT sample in India in June 2022.
The group behind GravityRAT remains unknown, but Facebook researchers have attributed it to a group based in Pakistan. ESET researchers internally track the group as SpaceCobra and attribute both the BingeChat and Chatico campaigns to this group.
The GravityRAT spyware, including its trojanized versions, has various capabilities, including exfiltrating call logs, contact lists, SMS messages, and files with specific extensions. This updated version can also receive commands to delete files. The spyware communicates with a C&C server to exfiltrate the device user’s data and execute commands.
In conclusion, the discovery of the updated Android GravityRAT spyware being distributed as BingeChat and Chatico highlights the ongoing activities of a sophisticated threat actor. The malware’s ability to steal WhatsApp backup files and receive commands to delete files underscores the need for users to remain vigilant and take appropriate security measures to protect their devices and data.