SpaceCobra Uses Android GravityRAT Malware to Target WhatsApp Backups

In a recent discovery, a new version of Android GravityRAT spyware was discovered by researchers at ESET. Targeting WhatsApp users, the trojanized version of the legitimate OMEMO IM app is available to download via BingeChat and Chatico messaging apps.

Active since 2015, GravityRAT is a remote access tool that has been used for specific targets based in India. A cross-platform app whose origin remains unknown, but ESET researchers internally associate it with the group SpaceCobra.

The malware with the capability to compromise platforms including Windows, macOS and Android is believed to be active since August 2022. It not only can access all files stored in WhatsApp backup but also exfiltrate all sensitive information from a user’s device.

The messaging apps, BingeChat and Chatico are not available to download on Google Play store, rather they are distributed through: bingechat[.]net and chatico[.]co[.]uk; dubious websites that promote free file-sharing and chat services.

The malware has been designed to extract all data from WhatsApp backups and receive remote instructions to delete information including call logs, contacts, and specific files. “These are very specific commands that are not typically seen in Android malware,” noted ESET’s research.

Without the victim’s knowledge, GravityRAT also extracts sensitive data like SMSes, location data, files including photos, videos and audio recordings, call logs that are transferred to an attacker controlled C2 server. It is able to extract this information by using the legitimate functionality of an Android app. It requests all standard permissions including access to different functions and files, which is granted by the user.

According to ESET researchers, Chatico is no longer active, but BingeChat is still operational. Both the apps are used to capture specific targets. For instance, the documented SpaceCobra deployed Chatico attack was targeted towards an India-based user. BingeChat can only be downloaded after registration, which is not open to all.

‘’The BingeChat app is distributed through a website that requires registration, likely open only when the attackers expect specific victims to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. In any case, the campaign is very likely highly targeted,’’ noted the research.

Since GravityRAT is coming up with new and updated versions, it is essential that Android users adhere to strict security measures including using antivirus to mitigate such threats.