Since August 2022, a new Android malware campaign has been spreading the latest version of GravityRAT, infecting mobile devices with a trojanized chat app called ‘BingeChat.’ The malware aims to steal data from victims’ devices, with one of its notable additions being the capability to steal WhatsApp backup files.
GravityRAT, operated by ‘SpaceCobra,’ has been active since at least 2015 and started targeting Android devices in 2020.
The trojanized chat app, ‘BingeChat,’ is presented as an end-to-end encrypted chat app with advanced features. The app is delivered through “bingechat[.]net” and requires invite-based registration, making it harder for researchers to analyze. GravityRAT’s operators have used similar tactics in the past, such as distributing malicious APKs through other chat apps like ‘SoSafe’ and ‘Travel Mate Pro.’
BingeChat requests risky permissions upon installation, including access to contacts, location, phone, SMS, storage, call logs, camera, and microphone. These permissions appear standard for messaging apps, making them less likely to raise suspicion.
Before registration, the app sends various data, including call logs, contacts, SMS messages, device location, and basic device information, to the threat actor’s command and control server. Additionally, the malware steals media and document files, including WhatsApp backups.
GravityRAT’s latest version also allows for commands from the command and control server to delete specific files, contacts, or call logs on the victim’s device.
While SpaceCobra’s campaigns are highly targeted, primarily focused on India, all Android users are advised to avoid downloading APKs from sources outside of Google Play and to exercise caution when granting permissions during app installation.
