- By Vikas Yadav
- Fri, 16 Jun 2023 11:01 PM (IST)
- Source:JND
JE Technology Desk: WhatsApp is among the most popular instant messaging apps worldwide. Owing to its popularity, it is also the favoured app for scams and malware infections by bad actors. In the latest move, ESET researchers uncovered an updated Android GravityRAT spyware that can steal backup files (and even delete them) from WhatsApp.
The researchers at the cybersecurity company tracked the spyware in two messaging apps: BingeChat and Chatico. Android, Windows and macOS versions of these apps are available. The entity behind the attack is unknown to date. It is a remote access tool, active since 2015 and used for targeted attacks in India, informs Malware Researcher Lukas Stefanko.
While Chatico is inactive now, the BingeChat app campaign is still on the move, reportedly since August last year. It is advertised as a free messaging service on a website. The upgraded GravityRAT can access WhatsApp backups and receive prompts to delete files. This trojanized app also offers a chat function.
After launch, the app requests permissions, including Call logs, Contacts, Location, Phone, SMS, Storage, Microphone and Camera. Even before the user registers on the app, GravityRAT initiates interaction with the C2 server to exfiltrate device data and execute commands. It can include exfiltrating call logs, contact list, SMS, media files, location and device information. Plus, the commands may also include deletion requests of crypt files in WhatsApp Messenger.
The app has never been listed on Play Store and is available via invite-only mode. SpaceCobra - The speculated operator has revived GravityRAT to exfiltrate the app after 2015. While the registrations for the malicious app are closed now, the attacker may reopen it to target a very specific audience.
How To Be Safe?
- Do not download apps from third-party stores or websites other than Google Play Store
- When downloading apps from Play Store, check for reviews and ratings of an app
- Monitor permission and files accessed by an app
- Disable the unknown sources app installation setting on an Android device
