The Android malware campaign that began in August 2022 continues to spread rapidly, and researchers have recently discovered a new Android virus called “GravityRAT.” This virus is designed to deceive users by posing as a fraudulent chat app called “BingeChat” in order to access and steal sensitive data.
GravityRAT has been active since 2015 but started targeting Android devices in 2020. It is operated by a group known as “SpaceCobra,” who use the spyware for specific operations and select targets. The virus disguises itself as BingeChat, claiming to offer end-to-end encryption, a user-friendly interface, and advanced functionalities.
The app is primarily delivered through the website “bingechat[.]net” or other available platforms. However, downloading the app requires an invitation and prompts users to register a new account or provide sensitive data like credentials. Currently, registrations are closed, and this method is used solely for targeting specific individuals with the distribution of malicious apps.
In 2021, the operators of GravityRAT employed the tactic of promoting malicious Android APKs to their targets using a chat app called “SoSafe.” Prior to that, they used an app called “Travel Mate Pro.” The researcher, Lukas Stefanko, discovered that the app is a modified version of OMEMO IM, an authentic open-source instant messaging application for Android that has been infused with a trojan.
SpaceCobra also distributed a fraudulent app called “Chatico” to targeted individuals through the website “chatico.co[.]uk” in the summer of 2022.
When BingeChat is installed on a target’s device, it requests various permissions that could pose potential risks, including access to contacts, location, phone, SMS, storage, call logs, camera, and microphone. Because instant messaging apps commonly require these permissions, they are unlikely to trigger suspicion. Upon registration, the app automatically transfers call logs, contact lists, SMS messages, device location, and basic device information to a C2 server operated by the threat actor.
To protect against such malware, users are advised to avoid downloading APKs from unknown or unreliable sources and to exercise caution and vigilance when granting app permissions during installation.
The discovery of GravityRAT stealing WhatsApp backup files adds to the increasingly sophisticated tactics employed by cybercriminals. It is crucial for users to stay informed about such threats and take necessary precautions to safeguard their sensitive data.