In the Cyber Security scene, staying on top of the latest Cyber threats and trends is imperative to prepare for them. In this blog, we’ll be spreading awareness of the recent Spyware attacks that have already claimed the sensitive information of WhatsApp users.
The WhatsApp Spyware itself
An updated version of the Android GravityRAT spyware targeting WhatsApp backups has been discovered by security researchers at ESET.
In an advisory published by the firm on Thursday, ESET malware researcher Lukas Stefanko said the new variant of the malware is being distributed via two messaging apps called BingeChat and Chatico.
GravityRAT is a remote access tool that has been observed since at least 2015. It was previously used in targeted attacks against India. Below is an example image of what this looked like to some users:
While it is available for Windows, Android and macOS platforms, its origin and the group behind it, known internally by ESET as SpaceCobra, remain unknown.
The novel variant observed by ESET, which started around August 2022, specifically aims at gaining unauthorized access to WhatsApp backups, potentially compromising sensitive personal information.
BingeChat and Chatico, available on the Google Play Store, were repurposed to carry out these malicious activities, evading initial suspicion.
“The trojanized BingeChat app is available for download from a website that presents it as a free messaging and file-sharing service,” Stefanko wrote.
The malware’s capabilities include extracting user data from compromised devices and remotely issuing commands to delete information.
Notably, the malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.
ESET clarified that while the BingeChat is most likely ongoing, the Chatico app is no longer active.
How it was handled
The discovery of this campaign came after the company’s security researchers were alerted by MalwareHunterTeam, who shared the hash for a GravityRAT sample on Twitter.
The ESET advisory contains indicators of compromise (IoCs) for the new threat.
While SpaceCobra’s campaigns are highly targeted and usually focused on India, all Android users should avoid downloading APKs outside of Google Play and be wary of dangerous permission requests when installing any app.
Conclusion
In conclusion, this Spyware attack should be taken as a reminder of why everyone should invest time, effort and money into their Cyber Security, whether you are an individual, business or organisation.
This is because anyone can be a victim of a Cyber attack. As the saying goes, “You can’t fight what you can’t see”.
Because of this, we strongly suggest you consider Cyber Security training or a governmental scheme for your business like Cyber Essentials.
We hope you’ve liked this blog and that you’ll stick around to see our future releases, covering everything from recent IT News to Knowledgebase articles. Thanks for reading!