A hacking group known as SpaceCobra has developed an instant messaging app which is also capable of stealing lots of sensitive information from the target device. The threat actor seems to know exactly who he wants to target, as downloading the app has proven to be quite a challenge for researchers.
ESET cybersecurity researchers recently discovered that two messaging apps, called BingeChat and Chatico, actually serve GravityRAT, a remote access trojan. This RAT was able to exfiltrate a lot of sensitive information from the compromised devices, including call logs, contact list, SMS messages, device location, basic device information and files with specific extensions for images, photos and documents.
No presence on the App Store
What sets these two apps apart from others offering GravityRAT is that they can also steal WhatsApp backups and receive commands to delete files.
The way the malware is distributed makes this campaign even more unique. The apps cannot be found on app stores and have never been uploaded to Google Play, for example. Instead, they can only be downloaded by visiting a specially designed website and signing up for an account. It may not seem like anything special, but ESET researchers were unable to open an account because registrations were “closed” when they visited. This prompted them to conclude that the group was very specific in their targeting, possibly opting for a specific location or IP address.
“It is very likely that operators only open the record when they expect a specific victim to visit the location, possibly with a particular IP address, geolocation, custom URL, or within a time limit. specific,” says Lukáš Štefanko, Researcher at ESET. “Although we were unable to download the BingeChat app via the website, we were able to find a distribution URL on VirusTotal,” he adds.
That said, the majority of victims seem to reside in India. The aggressors, SpaceCobra, would be of Pakistani origin. The campaign has most likely been active since August last year, with one of the two (BingeChat) still active, the researchers said. The malicious app, based on the open-source OMEMO Instant Messenger app, is available for Windows, macOS, and Android.