Updated version of the Android Remote Access Trojan Gravity RAT Since June 2022, it has been found masquerading as messaging apps BingeChat and Chatico as part of a targeted campaign.
“What is noteworthy about the newly discovered campaign is that GravityRAT may receive commands to extract WhatsApp backups and delete files,” ESET researcher Lukaš Štefanko said in a new article published today. said in the report.
“The malicious app also provides legitimate chat functionality based on the open-source OMEMO instant messenger app.”
GravityRAT is the name given to cross-platform malware that can target Windows, Android and macOS devices. A Slovak cybersecurity firm tracks this activity under the name SpaceCobra.
As Meta disclosed last month, the threat actor is suspected to be based in Pakistan and recently targeted military personnel in the Indian and Pakistani Air Forces by disguising GravityRAT as a cloud storage and entertainment app. attacks are being carried out.
The use of chat apps as decoys to distribute malware was previously highlighted by Cyble in November 2021, analyzing a sample named “SoSafe Chat” uploaded to the VirusTotal database from India.
Chat apps are not available on Google Play, but are distributed through rogue websites that promote free messaging services.[.]net and annoying[.]Both[.]England.
“The group uses fictional and fake defense companies, governments, military personnel, journalists, and female recruiters seeking to establish romantic relationships in order to build trust with their targets. We used people,” Mehta said. Quarterly Adversarial Threat Report.
It has been suggested that this tactic aims to get potential targets to contact them on Facebook or Instagram and trick them into clicking a link to download a malicious app.
Like most Android backdoors, GravityRAT masquerades as a seemingly legitimate app, requesting intrusive permissions and exposing sensitive information such as contacts, SMS, call logs, files, location data and voice recordings to the victim. Collect without your knowledge.
The captured data is eventually exfiltrated to a remote server under the threat actor’s control. Please note that you must have an account to use the app.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
What makes the new version of GravityRAT stand out is its ability to steal WhatsApp backup files and receive instructions from command and control (C2) servers to delete call logs, contact lists, and files with specific extensions.
“These are very special commands that you don’t typically see in Android malware,” Stefanko noted.
The development follows a banking and thief malware known as HelloTeacher that allows Android users in Vietnam to siphon sensitive data under the cover of legitimate messaging apps such as Viber and Kik and abuse accessibility services to carry out illicit fund transfers. It was done in the midst of a new species of damage. APIs.
Also, a cloud mining scam uncovered by Cyble “encourages users to download malicious applications to start mining” by abusing permissions to accessibility services to access cryptocurrency wallets and banking. It collects sensitive information from the app.
The financial Trojan, codenamed Roamer, exemplifies the tendency to use phishing websites and Telegram channels as distribution vectors, thereby effectively expanding the potential victim base.
“Users should be cautious and avoid following suspicious cryptocurrency mining channels on platforms like Telegram. These channels can cause huge financial losses and put sensitive personal data at risk. because it can expose them to toxic chemicals,” Thybulle said.
