Updated Android spyware GravityRAT steals WhatsApp Backups

Pierluigi Paganini June 16, 2023

An updated version of the Android remote access trojan GravityRAT can steal WhatsApp backup files and can delete files

ESET researchers discovered an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can delete files. The malware is distributed as the messaging apps BingeChat and Chatico.

MalwareHunterTeam researchers first shared the hash for a GravityRAT sample via a tweet.

GravityRAT was first spotted by Cisco Talos researchers in 2017 who speculate it remained under the radar for at least a couple of years [since 2015].

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it was mainly employed in attacks aimed at Indian users.

The BingeChat campaign is still ongoing and is active since August 2022, while the campaign using Chatico is no longer active. The researchers discovered that BingeChat is distributed through a website set up by threat actors to advertise free messaging services. ESET researchers discovered the website bingechat[.]net used to host the sample.

The latest version of GravityRAT can exfiltrate WhatsApp backups while providing legitimate chat functionality based on the open-source OMEMO Instant Messenger app, which is a rebuild of the Android Jabber client Conversations.

The website used to serve the app requires visitors to log in, but researchers didn’t have credentials, and the registration was closed.


“It is most probable that the operators only open registration when they expect a specific victim to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. Therefore, we believe that potential victims are highly targeted.” reads the analysis published by ESET. “Considering that downloading the app is conditional on having an account and new account registration was not possible for us, we believe that potential victims were specifically targeted.”


GravityRAT allows operators to exfiltrate call logs, contact list, SMS messages, files with specific extensions (jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, crypt32), device location, and basic device information.

The malware stores data to be exfiltrated in text files on external media and then exfiltrates them to the C2 server before removing it.

“Known to have been active since at least 2015, SpaceCobra has resuscitated GravityRAT to include expanded functionalities to exfiltrate WhatsApp Messenger backups and receive commands from a C&C server to delete files.” concludes ESET that also provided indicators of compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

you might also like

leave a comment