New Version of Android GravityRAT Spyware Targets WhatsApp Backups

Written by

An updated version of the Android GravityRAT spyware targeting WhatsApp backups has been discovered by security researchers at ESET.

In an advisory published by the firm on Thursday, ESET malware researcher Lukas Stefanko said the new variant of the malware is being distributed via two messaging apps called BingeChat and Chatico.

GravityRAT is a remote access tool that has been observed since at least 2015. It was previously used in targeted attacks against India.

While it is available for Windows, Android and macOS platforms, its origin and the group behind it, known internally by ESET as SpaceCobra, remain unknown.

The novel variant observed by ESET, which started around August 2022, specifically aims at gaining unauthorized access to WhatsApp backups, potentially compromising sensitive personal information.

Read more on WhatsApp-targeting malware: Telegram, WhatsApp Trojanized to Target Cryptocurrency Wallets

BingeChat and Chatico, available on the Google Play Store, were repurposed to carry out these malicious activities, evading initial suspicion.

“The trojanized BingeChat app is available for download from a website that presents it as a free messaging and file-sharing service,” Stefanko wrote.

The malware’s capabilities include extracting user data from compromised devices and remotely issuing commands to delete information.

Notably, the malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.

ESET clarified that while the BingeChat is most likely ongoing, the Chatico app is no longer active.

The discovery of this campaign came after the company’s security researchers were alerted by MalwareHunterTeam, who shared the hash for a GravityRAT sample on Twitter.

“According to ESET telemetry, a user in India was targeted by the updated Chatico version of the RAT, similar to previously documented SpaceCobra campaigns,” Stefanko explained.

“The BingeChat version is distributed through a website that requires registration, likely open only when the attackers expect specific victims to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. In any case, we believe the campaign is highly targeted.”

The ESET advisory contains indicators of compromise (IoCs) for the new threat.

Editorial image credit: Worawee Meepian /

What’s hot on Infosecurity Magazine?