Skip to content

SpaceCobra group goes after WhatsApp backups using Android spyware GravityRAT, ESET Research discovers

  • ESET Research discovered a new version of Android GravityRAT spyware being distributed as trojanized versions of the legitimate open-source OMEMO Instant Messenger Android app.
  • The trojanized BingeChat app is available for download from a website that presents it as a free messaging and file sharing service.
  • This version of GravityRAT is enhanced with two new capabilities: receiving commands to delete files and exfiltrating WhatsApp backup files.
  • The campaign is very likely highly targeted. Just as in previously documented SpaceCobra campaigns, the Chatico campaign targeted a user in India.

BRATISLAVA, KOŠICE — June 15, 2023 — ESET researchers have identified an updated version of the Android-based GravityRAT spyware being distributed as the messaging apps BingeChat and Chatico. GravityRAT is a remote access tool previously used in targeted attacks against users in India. Windows, Android, and macOS versions are available. The actor behind GravityRAT remains unknown; ESET Research tracks the group known as SpaceCobra. Most likely active since August 2022, the BingeChat campaign is still ongoing. In the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files. The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.

Just as in previously documented SpaceCobra campaigns, the Chatico campaign targeted a user in India. The BingeChat app is distributed through a website that requires registration, likely open only when the attackers expect specific victims to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. In any case, the campaign is very likely highly targeted.

“We found a website that should provide the malicious app after tapping the DOWNLOAD APP button; however, it requires visitors to log in. We didn’t have credentials, and registrations were closed. It is most probable that the operators only open registration when they expect a specific victim to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe,” says ESET researcher Lukáš Štefanko, who investigated the malicious apps. “Although we couldn’t download the BingeChat app via the website, we were able to find a distribution URL on VirusTotal,” he adds. The malicious app has never been made available in the Google Play store.

ESET Research does not know how potential victims were lured to, or otherwise discovered, the malicious website. Considering that downloading the app is conditional on having an account and new account registration was not possible during the investigation, ESET believes that potential victims were specifically targeted.

The group behind the malware remains unknown, even though Facebook researchers attribute GravityRAT to a group based in Pakistan, as previously speculated by Cisco Talos. ESET tracks the group under the name SpaceCobra, and attributes both the BingeChat and Chatico campaigns to this group.

As part of the app’s legitimate functionality, it provides options to create an account and log in. Before the user signs into the app, GravityRAT starts to interact with its C&C server, exfiltrating the device user’s data and waiting for commands to execute. GravityRAT is capable of exfiltrating call logs, contact list, SMS messages, device location, basic device information, and files with specific extensions for pictures, photos, and documents. This version of GravityRAT has two small updates compared to previous, publicly known versions of GravityRAT: exfiltrating WhatsApp backups and receiving commands to delete files.

For more technical information about SpaceCobra and the latest campaign with Android GravityRAT, check out the blogpost “Android GravityRAT goes after WhatsApp backups” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

GravityRAT distribution mechanism

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.



Click one of our contacts below to chat on WhatsApp