GravityRAT Alert: Malware steals WhatsApp backups

The latest version of is spreading rapidly online GravityRATAndroid malware identified active since 2020 on that operating system.

This malicious agent uses a messaging app, called BingeChat, to act as a trojan and steal data from victims’ devices. According to what was reported by Lukas Stefankoresearcher of ESETit’s at MalwareHunterTeamthe main focus of GravityRAT are i chat backups Of WhatsApp.

These backup copies are generated by the popular messaging app to keep messages and media files in anticipation of a potential reset or smartphone change. What makes this type of attack particularly treacherous is precisely the content of the aforementioned backups. It is, in fact, about text, video e Photo often very personal.

GravityRAT steals a wide range of files from victims

BingeChat looks like a legitimate app, but it manages to both spread malware and make GravityRAT removal very difficult.

The modus operandi of the cybercriminals behind the malware is always the same, the only thing that changes is the app used for dissemination: in fact, before BingeChat, a similar software called SoSafe and before that an app known as Travel Mate Pro.

Upon installation the current app requires extensive permissions, such as access to contacts, position, telephone number, SMS, microphone and whatnot. These are standard permissions for instant messaging apps, so they are unlikely to arouse suspicion or appear anomalous to the victim.

Once the software obtains these permissions, however, it immediately begins its work. In this sense, the targeted files are many. It ranges from images (JPG, PNG, JPEG) to documents (PDF, DOC, DOCX) to spreadsheets. All this, of course, without the knowledge of the victim.

Also new to GravityRAT is its ability to receive three commands from the C2that means “delete all files” (of a specified extension), “delete all contacts” e “clear all call logs“. As it is easy to understand, this results in the potential loss of important data for the victim.

To minimize the risks related to this fearsome malware, the most important precaution is to avoid it file APK of dubious origin or in any case downloading apps from untrusted stores.


Please enter your comment!
Please enter your name here