GravityRAT Mobile Threat Hides in Chat Apps

Researchers have discovered a recently updated version of Android GravityRAT spyware that is being circulated through messaging applications called BingeChat and Chatico. GravityRAT is a remote access tool that has been in use since at least 2015 and has previously been employed in targeted attacks against India. The availability of Windows, Android, and macOS versions of this spyware has been documented by various sources such as Cisco Talos, Kaspersky, and Cyble. The group responsible for GravityRAT, known internally as SpaceCobra, remains unidentified.

The BingeChat campaign, which likely started in August 2022, is still active, while the Chatico campaign is no longer operational. BingeChat is distributed through a website that advertises free messaging services. Notably, the latest campaign involving GravityRAT enables the spyware to extract WhatsApp backups and receive commands for file deletion. Moreover, the malicious apps offer legitimate chat functionality based on the open-source OMEMO Instant Messenger app.

The MalwareHunterTeam alerted researchers to this campaign by sharing the hash of a GravityRAT sample through a tweet. The malicious app, branded as BingeChat and claiming to provide messaging services, was identified based on the APK file name. The website bingechat[.]net, where this sample could have been downloaded, was discovered. However, accessing the app required logging in, and registration was closed. It is likely that registrations are opened only when the operators anticipate a specific victim's visit, potentially based on their IP address, geolocation, custom URL, or within a specific timeframe. Hence, researchers believe that potential victims are highly targeted.

Means of Distribution

Although researchers couldn't directly download the BingeChat app from the website, they found a URL on VirusTotal that contained the malicious BingeChat Android app and pointed to a BingeChat.zip file. This app had the same hash as the one mentioned in the aforementioned tweet, indicating that this URL serves as a distribution point for this specific GravityRAT sample.

Furthermore, the BingeChat app's code references the same domain name, bingechat[.]net, which suggests its usage for distribution purposes. It's worth noting that the malicious app has never been available on the Google Play store. Instead, it masquerades as a modified version of the legitimate open-source OMEMO Instant Messenger (IM) Android app, but is labeled as BingeChat. OMEMO IM is a reconstructed version of the Conversations Android Jabber client.

The HTML code of the malicious website was copied from the legitimate site preview.colorlib.com/theme/BingeChat/ on July 5th, 2022, using the automated tool HTTrack. Colorlib.com is a genuine website that provides downloadable WordPress themes, but the BingeChat theme appears to be unavailable there now. The bingechat[.]net domain was registered on August 18th, 2022.

Threat Actor Behind GravityRAT Still Unclear

Although Facebook researchers attribute GravityRAT to a group based in Pakistan, similar to previous speculation by Cisco Talos, the group behind the malware remains unidentified. Internally, researchers refer to this group as SpaceCobra and attribute both the BingeChat and Chatico campaigns to them.

The characteristic malicious functionality of GravityRAT is associated with a specific code segment that was previously linked to a group employing Windows variants of GravityRAT in 2020.

In 2021, Cyble published an analysis of another GravityRAT campaign that exhibited similar patterns to BingeChat. This included a comparable distribution method where the trojanized app posed as a legitimate chat application (SoSafe Chat in that case), the use of open-source OMEMO IM code, and identical malicious functionality. Figure 6 provides a comparison between the malicious classes in the GravityRAT sample analyzed by Cyble and the new sample found in BingeChat. Based on this analysis, it can be confidently stated that the malicious code in BingeChat belongs to the GravityRAT malware family.

By Zaib
June 16, 2023
Computer Security
English
June 16, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Android Malware

Watch Out for Mobile Apps Group Android Adware

Mobile apps Group is the collective name given to a number of malicious applications for Android. The four different applications belonging to the same group are called "Driver: Bluetooth, Wi-Fi, USB", "Bluetooth Auto... Read more

November 7, 2022
Android Malware

Fake Antivirus Apps Used to Spread Sharkbot Mobile Malware

Sharkbot, a type of banking malware, was discovered on the Google Play Store and subsequently taken down. The malware was hiding in apps designed to look like mobile antivirus and security solutions. A group of... Read more

April 8, 2022
Android Malware

Malware Hides in Clones of Legitimate Paid Mobile Apps

Hackers are once again exploiting one of the oldest ways to infect victims with malware. Security researchers have discovered that there is still a significant number of mobile apps loaded with malware. The malicious... Read more

April 5, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.