GravityRAT Android Trojan Steals WhatsApp Backups and Deletes Files
Cyber Security Threat Summary:
“An updated version of an Android remote access trojan dubbed GravityRAT has been found masquerading as messaging apps BingeChat and Chatico as part of a narrowly targeted campaign since June 2022. ‘Notable in the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files,’ ESET researcher Lukáš Štefanko said in a new report published today. ‘The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.’ GravityRAT is the name given to a cross-platform malware that's capable of targeting Windows, Android, and macOS devices. The Slovak cybersecurity firm is tracking the activity under the name SpaceCobra. The threat actor is suspected to be based in Pakistan, with recent attacks involving GravityRAT targeting military personnel in India and among the Pakistan Air Force by camouflaging it as cloud storage and entertainment apps, as disclosed by Meta last month” (The Hacker News, 2023).
Security Officer Comments:
The bogus applications are not available for download on Google Play and are being advertised on attacker-controlled domains promoting free software, in particular for the Bingchat (bingechat[.]net) and Chatico (chatico[.]co[.]uk.) messaging services. According to the campaign observed by Meta, the actors were seen posing as recruiters for both legitimate and fake defense companies and governments as well as military personnel and journalists to lure victims. Based on the TTPs observed, it seems as though the group behind the latest GravityRAT campaign is also contacting victims on Facebook and Instagram. After initiating a conversation, the actors will trick victims into clicking on a link or attachment, which in turn leads to the download of GravityRAT.
For its part, once GravityRAT is executed, it will start to extract the following data from the victim’s device:
According to ESET, this data is stored in text files on external media and then exfiltrated to a C2 server controlled by the malware operator.
Suggested Correction(s):
Avoid downloading software from third-party sites as threat actors will typically create such domains to infect unsuspecting victims. Also, users should be careful not to click on links or attachments that come in emails or messages from unknown senders.
Link(s):
https://thehackernews.com/2023/06/warning-gravityrat-android-trojan.html