This dangerous new malware is after your WhatsApp backups

Google Android figure standing on laptop keyboard with code in background
(Image credit: Shutterstock / quietbits)

A hacking group known as SpaceCobra developed an instant messaging app that is also able to steal a lot of sensitive information from the target device. The threat actor seems to know exactly who it wants to target, as downloading the app has proven to be quite the challenge for researchers.

Cybersecurity researchers from ESET recently discovered that two messaging apps, called BingeChat and Chatico, were actually serving GravityRAT, a remote access trojan. This RAT was capable of exfiltrating plenty of sensitive information from compromised endpoints, including call logs, contact list, SMS messages, device location, basic device information, and files with specific extensions for pictures, photos, and documents.

No app store presence

What makes these two apps stand out from others delivering GravityRAT out there, is that these can also steal WhatsApp backups and receive commands to delete files. 

The way the malware is distributed makes this campaign even more unique. The apps cannot be found on app stores and were never uploaded to Google Play, for example. Instead, they can only be downloaded by visiting a specially crafted website and opening up an account. This might not sound like anything special, but the researchers from ESET could not open up an account as registrations were “closed” when they visited. This prompted them to conclude that the group was very precise with its targeting, possibly going for a specific location or IP address.

“It is most probable that the operators only open registration when they expect a specific victim to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe,” says ESET researcher Lukáš Štefanko. “Although we couldn’t download the BingeChat app via the website, we were able to find a distribution URL on VirusTotal,” he adds. 

That being said, the majority of the victims seem to reside in India. The attackers, SpaceCobra, are apparently of Pakistani origin. The campaign is most likely active since August last year, with one of the two (BingeChat) still being active, the researchers said. The malicious app, based on the open-source OMEMO Instant Messenger app, is available for Windows, macOS, and Android.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.