SpaceCobra group goes after WhatsApp backups using Android spyware GravityRAT, ESET Research discovers

SpaceCobra group goes after WhatsApp backups using Android spyware GravityRAT, ESET Research discovers

The trojanized BingeChat app is available for download from a website that presents it as a free messaging and file sharing service.

This version of GravityRAT is enhanced with two new capabilities: receiving commands to delete files and exfiltrating WhatsApp backup files.

The campaign is very likely highly targeted. Just as in previously documented SpaceCobra campaigns, the Chatico campaign targeted a user in India.

DUBAI - UAE: ESET researchers have identified an updated version of the Android-based GravityRAT spyware being distributed as the messaging apps BingeChat and Chatico. GravityRAT is a remote access tool previously used in targeted attacks against users in India. Windows, Android, and macOS versions are available. The actor behind GravityRAT remains unknown; ESET Research tracks the group known as SpaceCobra. Most likely active since August 2022, the BingeChat campaign is still ongoing. In the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files. The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.

Just as in previously documented SpaceCobra campaigns, the Chatico campaign targeted a user in India. The BingeChat app is distributed through a website that requires registration, likely open only when the attackers expect specific victims to