This dangerous new malware is after your WhatsApp backups
Two instant messaging apps are stealing WhatsApp backups
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A hacking group known as SpaceCobra developed an instant messaging app that is also able to steal a lot of sensitive information from the target device. The threat actor seems to know exactly who it wants to target, as downloading the app has proven to be quite the challenge for researchers.
Cybersecurity researchers from ESET recently discovered that two messaging apps, called BingeChat and Chatico, were actually serving GravityRAT, a remote access trojan. This RAT was capable of exfiltrating plenty of sensitive information from compromised endpoints, including call logs, contact list, SMS messages, device location, basic device information, and files with specific extensions for pictures, photos, and documents.
No app store presence
What makes these two apps stand out from others delivering GravityRAT out there, is that these can also stealWhatsAppbackups and receive commands to delete files.
The way themalwareis distributed makes this campaign even more unique. The apps cannot be found on app stores and were never uploaded toGoogle Play, for example. Instead, they can only be downloaded by visiting a specially crafted website and opening up an account. This might not sound like anything special, but the researchers from ESET could not open up an account as registrations were “closed” when they visited. This prompted them to conclude that the group was very precise with its targeting, possibly going for a specific location or IP address.
Over 50 Chinese apps banned in fresh crackdown by the Indian government>Windows 11 now has much better protection against brute-force attacks>These are the best ID theft protection programs today
“It is most probable that the operators only open registration when they expect a specific victim to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe,” says ESET researcher Lukáš Štefanko. “Although we couldn’t download the BingeChat app via the website, we were able to find a distribution URL on VirusTotal,” he adds.
That being said, the majority of the victims seem to reside in India. The attackers, SpaceCobra, are apparently of Pakistani origin. The campaign is most likely active since August last year, with one of the two (BingeChat) still being active, the researchers said. The malicious app, based on the open-source OMEMO Instant Messenger app, is available for Windows, macOS, and Android.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set
