GravityRAT Android Trojan stealing WhatsApp backups, deleting files.
GravityRAT, an Android remote access trojan, has resurfaced with a deceptive disguise as messaging apps BingeChat and Chatico. This targeted campaign, ongoing since June 2022, has uncovered a concerning capability: the ability to steal WhatsApp backups and receive commands for file deletion. ESET researcher Lukáš Štefanko reveals these alarming findings in a recently published report.
GravityRAT, Android trojan also known as SpaceCobra, is a cross-platform malware infecting Windows, Android, and macOS. It is under close surveillance by a Slovak cybersecurity firm. Furthermore, the associated malicious apps provide genuine chat features utilizing the open-source OMEMO Instant Messenger app.
GravityRAT, a threat actor believed to be based in Pakistan, has been targeting military personnel in India and the Pakistan Air Force. They disguise the malware as cloud storage and entertainment apps. Meta recently disclosed these attacks.
Additionally, in November 2021, Cyble discovered a malware sample called “SoSafe Chat” on VirusTotal, highlighting the distribution of malware through chat apps. These deceptive chat apps are distributed via bingechat[.]net and chatico[.]co[.]uk websites. Meta’s report further details the utilization of fake personas by the group, including recruiters, military personnel, journalists, and individuals seeking romantic connections, all with the aim of fostering trust with their targets.
GravityRAT targets users on Facebook and Instagram, deceiving them into downloading malicious apps. These apps, disguised as legitimate, collect sensitive data without user knowledge and send it to a remote server. Account creation is mandatory.
What makes the new version of GravityRAT ?
Moreover, the latest version of GravityRAT distinguishes itself by specifically targeting WhatsApp backup files and obeying commands from a command-and-control server, resulting in the deletion of call logs, contact lists, and files with specific extensions. This noteworthy trait, as emphasized by Štefanko, is exceptional and infrequently observed in Android malware.
Android users in Vietnam are falling victim to a recently discovered banking and data-stealing malware called HelloTeacher. This malicious software cleverly utilizes popular messaging apps such as Viber or Kik as a disguise to extract sensitive data and execute unauthorized fund transfers by exploiting the accessibility services API.
Cyble uncovers cloud mining scam and financial trojan exploiting permissions.
Cyble has made another significant discovery, uncovering a cloud mining scam that entices users to download a malicious app for mining purposes. However, this app secretly utilizes accessibility service permissions to collect sensitive data from cryptocurrency wallets and banking applications. Additionally, Cyble identified a financial trojan called Roamer that demonstrates a growing trend of using phishing websites and Telegram channels as distribution methods. These tactics effectively expand the range of potential victims targeted by the trojan.
Cyble advises caution against suspicious cryptocurrency mining channels on platforms like Telegram to avoid financial losses and protect personal data,
If you found the article interesting, I encourage you to explore more exclusive content on our website. We regularly post engaging and informative articles for our readers to enjoy.