Researchers have spotted an updated version of the Android GravityRAT spyware targeting WhatsApp backups.
GravityRAT is a remote access tool that has been observed since at least 2015. It was previously used in targeted attacks against India. The new variant of the malware is being distributed via two messaging apps called BingeChat and Chatico.
This particular variant, starting around August 2022, specifically aims at gaining unauthorized access to WhatsApp backups, potentially compromising sensitive personal information.
BingeChat and Chatico, available on the Google Play Store, were repurposed to carry out these malicious activities, evading initial suspicion. It indulges in extracting user data from compromised devices and remotely issuing commands to delete information.
Notably, the malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.
The discovery of this campaign came after the company’s security researchers were alerted by MalwareHunterTeam, who shared the hash for a GravityRAT sample on Twitter.
This research was documented by researchers from ESET
Indicators of Compromise