The research team at ESET, a company dedicated to proactive detection of threats, has found a new version of GravityRAT, which is malware Designed specifically for Android devices that can detect user photos and videos, including sexual content.
This malware is spread through messaging apps like BingeChat and Chatico; However, there are variants available for Windows, Android, and macOS.
Active since at least 2015, the SpaceCobra group has now expanded its functionality to He steals Backups from whatsapp messenger and receive commands to delete files. This campaign uses messaging apps as a lure.
“We had no credentials and the logs were locked. Most likely, the operators behind this campaign will only open the log when they expect a specific victim to visit the site, perhaps through a specific IP address, geolocation, custom URL, or over a period of time.” specific.” Camilo Gutiérrez Amaya, Head of ESET Research Lab Latin America.
After starting, the application requests a file user to enable everyone Permissions necessary to work properly. Except for consent to read call logs, the other required licenses are typical of any messaging app.
the to request Offers options to create an account and login. Before a user opens their profile in the app, GravityRAT starts interacting with the command and control server, filtering user data from the device and waiting for commands to be executed.
It is able to leak:
Call logs
Contact list
– SMS messages
– Files with specified extensions: jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, crypt32
Device location
Basic device information
data that is He steals They are stored in text files on external media, then extracted to the server and finally deleted. These are very specific commands that are not usually seen in Android malware and that can put you into games special items on the device.
Older versions of GravityRAT for Android were unable to receive commands; They can only upload the extracted data to one of their servers at any time.
We do not know how potential victims were lured into the malicious website or discovered. Bearing in mind that the ability to download the application is conditional on obtaining an account and that it was not possible to register a new account at the time of the analysis, we believe that the victims of this campaign were specially selected,” the researcher stated.
the group behind it malware It uses code from the legitimate instant messaging app OMEMO to provide chat functionality in malicious messaging apps BingeChat and Chatico.
Likely active since August 2022, according to the researchers, the BingeChat campaign is still running, while the campaign being used by Chatico is no longer active. Based on the name of the APK file, the malicious app is categorized as BingeChat and claims to provide messaging functionality.
They find that website A sample is distributed and what the malicious application should download after executing the process, but it requires visitors to log in, so it considers potential victims highly targeted.
According to the research team, malicious application It was never available on the Google Play Store. It is a malicious copy of the legitimate Android app OMEMO Instant Messenger (IM) but branded as BingeChat. OMEMO IM is a client reconstruction of Android chats.
It occurs when confidential information is removed or stolen in an unauthorized manner from a system or device. This can happen in a number of ways, such as file theft or malware use. It is a serious problem because it puts privacy and information security at risk. the cyber criminals They usually do this to commit fraud or extortion.