Android smartphone owners are under attack from a pair of malicious chat apps that are being used to install the GravityRAT malware on vulnerable devices.
The campaign spreading this updated version of GravityRAT was discovered by security researchers at ESET who detailed their findings in a new report. However, as BleepingComputer points out, GravityRAT has been active since at least 2015 as a remote access tool but hackers only began using it to target the best Android phones back in 2020.
The two malicious chat apps Android users need to be on the lookout for are called BingeChat and Chatico. Unlike other apps though, they can’t be downloaded from the Google Play Store or other official Android app stores. Instead, both BingeChat and Chatico are being distributed through fake websites that promote free messaging services.
The hackers behind this new GravityRAT campaign have also gone to great lengths to win over potential targets according to Meta’s latest Quarterly Adversarial Threat Report (PDF). In addition to posing as women looking to make a romantic connection, the hackers also posed as recruiters for both companies and governments to try and lure potential victims into installing the malicious chat apps used to infect their devices with malware.
Also, as the best encrypted messaging apps have become more popular, both BingeChat and Chatico are advertised by the hackers responsible as being end-to-end encrypted to make them seem more appealing.
GravityRAT malware
Just like many other chat apps, BingeChat and Chatico request a number of risky permissions including access to a user’s contacts, location, phone, text messages, storage, call logs, camera and microphone. However, since these kinds of permissions are often requested by messaging apps, most users won’t think twice before tapping accept.
Before a user who has downloaded BingeChat even registers, the app sends all of their call logs, contacts, text messages, device location and other information about their phone to a command and control (C&C) server controlled by the hackers behind this campaign.
At the same time, any documents, videos or images stored on the now-compromised device are also stolen. The updated GravityRAT malware also looks for files with the extensions crypt14, crypt12, crypt13, crypt18, and crypt32 which correspond with WhatsApp backups stored on a victim’s smartphone.
To make matters worse, this new version of the malware can receive three commands from the C&C server that can wipe the data on your phone including “delete all files”, “delete all contacts” and “delete all call logs.”
How to stay safe from malicious chat apps
When it comes to staying safe from malicious apps including malicious chat apps like BingeChat and Chatico, the main thing you need to do is to avoid sideloading apps.
Unlike the apps on the Google Play Store and other official Android app stores, sideloaded apps don’t go through the same rigorous security checks and can often contain malware or other viruses. Sideloading apps may be convenient but it isn’t worth the risk.
As we saw in the campaign described above, you also want to be on the lookout for new people you’ve met online or even in real life that are sending you links to download apps. This is a major red flag and even if the link appears legitimate at first glance, it could take you to a phishing site.
With Android malware, installing and using one of the best Android antivirus apps can help keep you protected. However, if you’re on a tight budget, Google Play Protect, which comes pre-installed on most Android phones, can also scan both your existing apps and any new ones you download for malware and other viruses.
Since GravityRAT has been active since at least 2015, this malware is likely to remain a threat to Android users. While it’s dangerous now, it may even become more treacherous in the future as its creators add new capabilities to the malware.