Tag Archive for: GravityRAT

GravityRAT Android Malware Variant Steals WhatsApp Backups


Heads up, Android users! The latest GravityRAT malware variant now targets Android devices and steals WhatsApp chat backups. The malware reaches the devices by posing as a chat app. Again, this highlights the essentiality of downloading only known apps from trusted sources.

GravityRAT Android Malware Steals WhatsApp Backups

According to a recent report from ESET, a new GravityRAT malware variant has been actively targeting Android devices.

GravityRAT is a spyware known since 2015 as a potent remote access trojan targeting Windows, macOS, and Android systems. It has run numerous malicious campaigns with different iterations, each bearing more advanced malicious capabilities.

The recent GravityRAT variant targets Android devices and steals various files, including WhatsApp backups. To achieve this goal, the threat actors rolled out “BingeChat,” – a supposed chat app. The app offers numerous attractive features, including end-to-end encryption, voice chats, file sharing, an easy user interface, and free availability to lure users.

To further instigate curiosity and add a sense of legitimacy to the app, the threat actors have restricted the app download to an “invite-only” mode with registration requirements. This seemingly prevents the app analysis from potential researchers and ensures a targeted victim base.

Apparently, the app functions usually because the threat actors have developed it on the open-source Android messenger OMEMO IM. That’s how it avoids alarming users about the embedded GravityRAT malware in this trojanized app.

After being downloaded and installed, the app requests risky permissions, which any legit messaging app would request. These include access to SMS messages, contact lists, call logs, location, and device details. Once obtained, the app transmits all this information to the attackers’ C&C.

Alongside these capabilities, the new GravityRAT malware hidden inside the BingeChat app also receives commands regarding file deletion, call log deletion, and contact list deletion. Moreover, it steals files with various extensions, including crypt14, crypt12, crypt13, and crypt18 extensions that often represent WhatsApp chat

Source…