WhatsApp backups subjected to Android GravityRAT malware attacks

BleepingComputer reports that WhatsApp backup files are being exfiltrated by the updated Android GravityRAT spyware distributed in a malware campaign that has been ongoing since last August. GravityRAT operators SpaceCobra have spread the spyware as the purportedly end-to-end encrypted chat app dubbed "BingeChat," which is a trojanized version of the Android open-source messaging app OMEMO IM that was available for invite-based downloads at the "bingechat[.]net" domain, according to an ESET report. OMEMO IM was also leveraged by SpaceCobra to develop the fake Chatico messaging app. Several permissions standard to other messaging apps are being sought by BingeChat upon installation, with call logs, SMS messages, contact lists, device location, and device details being sent to SpaceCobra's command-and-control server before stealing WhatsApp backups, in addition to image files, PDFs, XMLs, and Microsoft Office files. Commands to delete all files of a particular extension, all contacts, and call logs could also be received by the updated GravityRAT variant, said researchers.