According to ESET researcher Lukas Stenfanko who examined a sample after getting a tip from MalwareHunterTeam, it was found that one of the noteworthy new features seen in the most recent GravityRAT version is the ability to collect WhatsApp backup files.
GravtiRAT
A remote access tool called GravityRAT has been used in targeted cyberattacks on India since at least 2015 and is known to be in use. There are versions for Windows, Android, and macOS, as previously reported by Cisco Talos, Kaspersky, and Cyble. However it is still unknown who is the actor behind GravityRAT, the group has been internally defined as SpaceCobra.
Although GravityRAT has been active since at least 2015, it only began specifically focusing on Android in 2020. Its operators, 'SpaceCobra,' only employ the malware in specific targeting tasks.
Current Android Campaign
According to ESET, the app is delivered via “bingechat[.]net” and other domains or distribution channels, however, the downloads require invites, entering valid login information, or creating a new account.
While registrations are currently closed, this method only enables the threat actors to distribute the malware to targeted users. Additionally, accessing a copy for analysis becomes more difficult for researchers.
Upon installation on the target's smartphone, the BingeChat app makes dangerous requests for access to contacts, location, phone, SMS, storage, call records, camera, and microphone.
Since these are some typical permissions asked of the users for any instant messaging apps, the malicious app goes unsuspected.
The program provides call records, contact lists, SMS messages, device location, and basic device information to the threat actor's command and control (C2) server before the user registers on BingeChat.
Along with the aforementioned records, files, and document files of jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32 types, have also been compromised.
While SpaceCobra’s malware campaign is mainly targeting India, all Android users are advised to refrain from downloading APKs anywhere other than Google Play and be very careful with potentially risky permission requests while installing any app.