Beware! Android GravityRAT Can Steal Your WhatsApp Backups

WhatsApp backups help users transfer their message history, media files, and data onto new devices, so they can have sensitive data such as text, video, photos, documents, and more, all in unencrypted form. However, nowadays everyone needs to be cautious as a new Android malware campaign is spreading the latest version of GravityRAT. Let me tell you that this malware has been on its way since August 2022. It has infected mobile devices with a trojanized chat app named ‘BingeChat‘. It basically attempts to steal data from victims’ devices.

GravityRAT is Stealing WhatsApp backups

According to the latest reports, this spyware is outstretched under the name ‘BingeChat,’ apparently an end-to-end encrypted chat app with a simple interface yet advanced features.

According to ESET, the app is provided through “bingechat[.]net” possibly other domains or distribution channels. However, the fact is that the download is invite-based. It directs visitors to enter valid credentials or register a new account. As registrations are closed right now, this method allows them only to distribute malicious apps to targeted people. No doubt, it also makes it more difficult for researchers to access a copy for analysis.

Check Out: Redmi 12 Debuts With Helio G88 SoC & 5000mAH Battery – (phoneworld.com.pk)

Stefanko also unveiled that the app is a trojanized version of OMEMO IM which is actually a legitimate open-source instant messenger app for Android. Reports claim that BingeChat requests perilous permissions upon its installation on the target’s device. It includes access to contacts, location, phone, SMS, storage, call logs, camera, and microphone. As they are standard permissions for instant messaging apps, so they usually don’t raise suspicions or appear abnormal to the victim.

The app sends call logs, contact lists, SMS messages, device location, and basic device information to the threat actor’s command and control (C2) server before the user registers in BingeChat. In addition to all this, media and document files of jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, XML, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32 types, are also stolen. Last but not least GravityRAT is also able to receive three commands from the C2, namely “delete all files”, “delete all contacts,” and “delete all call logs.”

All Android users should avoid downloading APKs from outside Google Play. They need to be cautious with risky permission requests while installing any app.

Also Read: Samsung Galaxy Z Fold5 Leaks in Official Promotional Image (phoneworld.com.pk)