Technical Writing Portfolio Showcase

Meta Description: A spyware GravityRAT is used to exfiltrate your Whatsapp data by disguising it as bots. Cyber crimes will not leave you! Read.

Whatsapp backups could be taken by GravityRAT android trojan

A recently discovered variant of GravityRAT, an Android remote access trojan, has been detected in a targeted campaign since June 2022. This malware version disguises itself as messaging apps called BingeChat and Chatico.

According to ESET researcher Lukáš Štefanko, “This campaign has revealed some notable features of GravityRAT. It can now exfiltrate WhatsApp backups and receive commands to delete files. In addition, the malicious apps offer legitimate chat functionality based on the open-source OMEMO Instant Messenger app.”

GravityRAT, also known as SpaceCobra, is a cross-platform malware targeting Windows, Android, and macOS devices. It has been observed primarily targeting military personnel in India and the Pakistan Air Force, with the threat actor suspected to be based in Pakistan.

Cyble previously highlighted using chat apps as a guise to distribute the malware in November 2021. They analyzed a sample named "SoSafe Chat" uploaded to India's VirusTotal database.

Although the chat apps are not available on Google Play, they are distributed through rogue websites that promote free messaging services, namely bingechat[.]net and chatico[.]co[.]uk.

In its Quarterly Adversarial Threat Report, Meta revealed that the threat group behind GravityRAT employed deceptive tactics by assuming false identities. They posed as recruiters for legitimate and fake defense companies and governments, military personnel, journalists, and individuals seeking romantic connections. This approach aimed to build trust with the targeted individuals.

“This report describes our threat research findings into the three cyber espionage networks we took down in South Asia — all long-running advanced persistent threat groups targeting people across the internet. It includes: a group known as a prolific user of the malware family GravityRAT that we attributed to state-linked actors in Pakistan, a threat actor in India known in the security industry as Patchwork APT, and the threat group known as Bahamut APT operating out of South Asia,” according to Meta.

The attackers typically contact potential victims on Facebook and Instagram, enticing them to click on the links and download the malicious apps.

GravityRAT, like many Android backdoors, requests extensive permissions under the guise of a seemingly legitimate app. These permissions allow it to gather sensitive information without the user's awareness, such as contacts, SMS messages, call logs, files, location data, and audio recordings.

The stolen data is then sent to a remote server controlled by the threat actor. It's important to note that using the app is contingent upon having an account.

What sets the new version of GravityRAT apart is its ability to 

steal WhatsApp backup files and 

receive instructions from the command-and-control (C2) server to delete call logs, contact lists, and files with specific extensions.

Štefanko emphasized that these are particular commands not typically observed in Android malware.

The group has been active since 2015 for its stealthy purpose. What makes these threat actors specialize is that they are committed to pilfering at all levels. They change their names, evolve tactics, use high-end technologies and ultimately reach their goals. 

Here comes the need for us to be this committed too. Avoid all suspicious activities, refrain from unauthorized apps and sources, keep difficult-to-guess passwords, and most importantly, stay alert! Keep knowing and be safe.