GravityRAT Mobile Malware

Since August 2022, a new Android malware campaign has been detected, spreading the latest version of GravityRAT and compromising mobile devices. The malware utilizes a trojanized chat application named 'BingeChat' as its means of infection, aiming to steal data from the victims' devices.

The latest version of GravityRAT comes with notable enhancements, including the ability to pilfer WhatsApp backup files. These backup files, designed to assist users in transferring their message history, media files, and data to new devices, can contain sensitive information such as text, videos, photos, documents, and more, all in an unencrypted format.

While GravityRAT has been active since at least 2015, it only began targeting Android devices in 2020. The operators behind this malware, known as 'SpaceCobra,' exclusively employ the spyware for their highly-targeted operations.

Cybercriminals Disguise GravityRAT as Useful Chat Apps

The spyware, disguised as the chat app 'BingeChat,' claims to offer end-to-end encryption and boasts a user-friendly interface along with advanced features. The malicious app is primarily distributed through the website 'bingechat.net' and possibly other domains or channels. However, access to the download is restricted to invited individuals who must provide valid credentials or register a new account.

Currently, registrations for the app are closed, limiting its distribution to specific targets. This method not only allows the perpetrators to deliver the malware selectively but also poses a challenge for researchers seeking to obtain a copy for analysis.

In a recurring pattern, GravityRAT's operators resorted to promoting malicious Android APKs using a chat app named 'SoSafe' in 2021 and prior to that, another app called 'Travel Mate Pro.' These apps were trojanized versions of OMEMO IM, a legitimate open-source instant messenger app for Android.

Notably, SpaceCobra previously utilized OMEMO IM as a foundation for yet another fraudulent app called 'Chatico.' In the summer of 2022, Chatico was distributed to targets through the now-defunct website 'chatico.co.uk.'

Malicious Capabilities Found in the GravityRAT Mobile Threat

Upon installation on the target's device, BingeChat requests permissions that carry inherent risks. These permissions include access to contacts, location, phone, SMS, storage, call logs, camera, and microphone. Since these permissions are typically required by instant messaging apps, they are unlikely to raise suspicions or appear abnormal to the victim.

Before a user registers in BingeChat, the app surreptitiously sends crucial information to the threat actor's Command-and-Control (C2) server. This includes call logs, contact lists, SMS messages, device location, and basic device information. Additionally, the malware steals various media and document files of specific file types, such as jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32. Notably, the crypt file extensions correspond to WhatsApp Messenger backups.

Furthermore, one of the notable new features of GravityRAT is its ability to receive three distinct commands from the C2 server. These commands include 'delete all files' (of a specified extension), 'delete all contacts,' and 'delete all call logs.' This capability grants the threat actor significant control over the compromised device and allows them to execute potentially damaging actions.

Users should exercise utmost caution when granting permissions to apps and carefully review the permissions requested by any application, even seemingly legitimate ones. Regularly updating devices, employing reliable security solutions, and being vigilant against suspicious app behavior can help mitigate the risks associated with such sophisticated malware campaigns.