{ "id": "d8a3c088-2f25-4b15-9f9f-780ca145eee3", "created_at": "2026-04-06T00:18:12.451964Z", "updated_at": "2026-04-10T13:13:07.997163Z", "deleted_at": null, "sha1_hash": "11cc9e68d713c8e37dc1d317d0fdb9d44708c0ae", "title": "Android GravityRAT goes after WhatsApp backups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 730013, "plain_text": "Android GravityRAT goes after WhatsApp backups\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 17:26:46 UTC\r\nESET researchers have identified an updated version of Android GravityRAT spyware being distributed as the messaging\r\napps BingeChat and Chatico. GravityRAT is a remote access tool known to be used since at least 2015 and previously used\r\nin targeted attacks against India. Windows, Android, and macOS versions are available, as previously documented by Cisco\r\nTalos, Kaspersky, and Cyble. The actor behind GravityRAT remains unknown; we track the group internally as SpaceCobra.\r\nMost likely active since August 2022, the BingeChat campaign is still ongoing; however, the campaign using Chatico is no\r\nlonger active. BingeChat is distributed through a website advertising free messaging services. Notable in the newly\r\ndiscovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files. The malicious\r\napps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.\r\nKey points of this blogpost:\r\nWe discovered a new version of Android GravityRAT spyware being distributed as trojanized versions of the\r\nlegitimate open-source OMEMO Instant Messenger Android app.\r\nThe trojanized BingeChat app is available for download from a website that presents it as a free messaging and file\r\nsharing service.\r\nThis version of GravityRAT is enhanced with two new capabilities: receiving commands to delete files and\r\nexfiltrating WhatsApp backup files.\r\nCampaign overview\r\nWe were alerted to this campaign by MalwareHunterTeam, which shared the hash for a GravityRAT sample via a tweet.\r\nBased on the name of the APK file, the malicious app is branded as BingeChat and claims to provide messaging\r\nfunctionality. We found the website bingechat[.]net from which this sample might have been downloaded (see Figure 1).\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 1 of 11\n\nFigure 1. Distribution website of the malicious BingeChat messaging app\r\nThe website should provide the malicious app after tapping the DOWNLOAD APP button; however, it requires visitors to\r\nlog in. We didn’t have credentials, and registrations were closed (see Figure 2). It is most probable that the operators only\r\nopen registration when they expect a specific victim to visit, possibly with a particular IP address, geolocation, custom URL,\r\nor within a specific timeframe. Therefore, we believe that potential victims are highly targeted.\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 2 of 11\n\nFigure 2. The service currently doesn’t provide registrations\r\nAlthough we couldn’t download the BingeChat app via the website, we were able to find a URL on VirusTotal\r\n(https://downloads.bingechat[.]net/uploadA/c1d8bad13c5359c97cab280f7b561389153/BingeChat.zip) that contains the\r\nmalicious BingeChat Android app. This app has the same hash as the app in the previously mentioned tweet, which means\r\nthat this URL is a distribution point for this particular GravityRAT sample.\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 3 of 11\n\nThe same domain name is also referenced within the code of the BingeChat app – another hint that bingechat[.]net is used\r\nfor distribution (see Figure 3).\r\nFigure 3. Distribution domain name referenced in the BingeChat app\r\nThe malicious app has never been made available in the Google Play store. It is a trojanized version of the legitimate open-source OMEMO Instant Messenger (IM) Android app, but is branded as BingeChat. OMEMO IM is a rebuild of the Android\r\nJabber client Conversations.\r\nAs you can see in Figure 4, the HTML code of the malicious site includes evidence that it was copied from the legitimate\r\nsite preview.colorlib.com/theme/BingeChat/ on July 5th, 2022, using the automated tool HTTrack; colorlib.com is a\r\nlegitimate website that provides WordPress themes for download, but the BingeChat theme seems to no longer be available\r\nthere. The bingechat[.]net domain was registered on August 18th, 2022.\r\nFigure 4. Log generated by the HTTrack tool and recorded in the malicious distribution website’s HTML code\r\nWe do not know how potential victims were lured to, or otherwise discovered, the malicious website. Considering that\r\ndownloading the app is conditional on having an account and new account registration was not possible for us, we believe\r\nthat potential victims were specifically targeted. The attack overview scheme is shown in Figure 5.\r\nFigure 5. GravityRAT distribution mechanism\r\nVictimology\r\nESET telemetry data has not recorded any victims of this BingeChat campaign, further suggesting that the campaign is\r\nprobably narrowly targeted. However, our telemetry has one detection of another Android GravityRAT sample in India that\r\noccurred in June 2022. In this case, GravityRAT was branded as Chatico (see Figure 6).\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 4 of 11\n\nFigure 6. The login activity screen of Chatico\r\nLike BingeChat, Chatico is based on the OMEMO Instant Messenger app and trojanized with GravityRAT. Chatico was\r\nmost likely distributed through the chatico.co[.]uk website and also communicated with a C\u0026C server. The domains for both\r\nthe website and C\u0026C server are now offline.\r\nFrom here on out, we will only focus on the active campaign using the BingeChat app, which has the same malicious\r\nfunctionality as Chatico.\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 5 of 11\n\nAttribution\r\nThe group behind the malware remains unknown, even though Facebook researchers attribute GravityRAT to a group based\r\nin Pakistan, as also previously speculated by Cisco Talos. We track the group internally under the name SpaceCobra, and\r\nattribute both the BingeChat and Chatico campaigns to this group.\r\nTypical malicious functionality for GravityRAT is associated with a specific piece of code that, in 2020, was attributed by\r\nKaspersky to a group that uses Windows variants of GravityRAT\r\nIn 2021, Cyble published an analysis of another GravityRAT campaign that exhibited the same patterns as BingeChat, such\r\nas a similar distribution vector for the trojan masquerading as a legit chat app, which in this case was SoSafe Chat, the use of\r\nthe open-source OMEMO IM code, and the same malicious functionality. In Figure 6, you can see a comparison of\r\nmalicious classes between the GravityRAT sample analyzed by Cyble and the new sample contained in BingeChat. Based on\r\nthis comparison, we can state with high confidence that the malicious code in BingeChat belongs to the GravityRAT\r\nmalware family\r\nFigure 7. Comparison of the class names for the trojan masquerading as legit SoSafe Chat (left) and BingeChat (right) apps\r\nTechnical analysis\r\nAfter launch, the app requests the user to allow all the necessary permissions to work properly, as shown in Figure 8. Except\r\nfor permission to read the call logs, the other requested permissions are typical of any messaging application, so the device\r\nuser might not be alarmed when the app requests them.\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 6 of 11\n\nFigure 8. Permissions requested by BingeChat\r\nAs part of the app’s legitimate functionality, it provides options to create an account and log in. Before the user signs into the\r\napp, GravityRAT starts to interact with its C\u0026C server, exfiltrating the device user’s data and waiting for commands to\r\nexecute. GravityRAT is capable of exfiltrating:\r\ncall logs\r\ncontact list\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 7 of 11\n\nSMS messages\r\nfiles with specific extensions: jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx,\r\nopus, crypt14, crypt12, crypt13, crypt18, crypt32\r\ndevice location\r\nbasic device information\r\nData to be exfiltrated is stored in text files on external media, then exfiltrated to the C\u0026C server, and finally removed. The\r\nfile paths for the staged data are listed in Figure 9.\r\nFigure 9. File paths to data staged for exfiltration\r\nThis version of GravityRAT has two small updates compared to previous, publicly known versions of GravityRAT. First, it\r\nextends the list of files to exfiltrate to those with the crypt14, crypt12, crypt13, crypt18, and crypt32 extensions. These crypt\r\nfiles are encrypted backups created by WhatsApp Messenger. Second, it can receive three commands from a C\u0026C server to\r\nexecute:\r\nDeleteAllFiles – deletes files with a particular extension, exfiltrated from the device\r\nDeleteAllContacts – deletes contact list\r\nDeleteAllCallLogs – deletes call logs\r\nThese are very specific commands that are not typically seen in Android malware. Previous versions of Android GravityRAT\r\ncould not receive commands at all; they could only upload exfiltrated data to a C\u0026C server at a particular time.\r\nGravityRAT contains two hardcoded C\u0026C subdomains shown in Figure 10; however, it is coded to use only the first one\r\n(https://dev.androidadbserver[.]com).\r\nFigure 10. Hardcoded initial C\u0026C servers\r\nThis C\u0026C server is contacted to register a new compromised device, and to retrieve two additional C\u0026C addresses:\r\nhttps://cld.androidadbserver[.]com and https://ping.androidadbserver[.]com when we tested it, as shown in Figure 11.\r\nFigure 11. C\u0026C communication to register a new device\r\nAgain, only the first C\u0026C server is used, this time to upload the device user’s data, as seen in Figure 12.\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 8 of 11\n\nFigure 12. Victim data exfiltration to C\u0026C server\r\nConclusion\r\nKnown to have been active since at least 2015, SpaceCobra has resuscitated GravityRAT to include expanded functionalities\r\nto exfiltrate WhatsApp Messenger backups and receive commands from a C\u0026C server to delete files. Just as before, this\r\ncampaign employs messaging apps as a cover to distribute the GravityRAT backdoor. The group behind the malware uses\r\nlegitimate OMEMO IM code to provide the chat functionality for the malicious messaging apps BingeChat and Chatico.\r\nAccording to ESET telemetry, a user in India was targeted by the updated Chatico version of the RAT, similar to previously\r\ndocumented SpaceCobra campaigns. The BingeChat version is distributed through a website that requires registration, likely\r\nopen only when the attackers expect specific victims to visit, possibly with a particular IP address, geolocation, custom\r\nURL, or within a specific timeframe. In any case, we believe the campaign is highly targeted.\r\nIoCs\r\nFiles\r\nSHA-1 Package name ESET detection name Description\r\n2B448233E6C9C4594E385E799CEA9EE8C06923BD eu.siacs.bingechat Android/Spy.Gravity.A GravityRAT impersonating Bing\r\n25715A41250D4B9933E3599881CE020DE7FA6DC3 eu.siacs.bingechat Android/Spy.Gravity.A GravityRAT impersonating Bing\r\n1E03CD512CD75DE896E034289CB2F5A529E4D344 eu.siacs.chatico Android/Spy.Gravity.A GravityRAT impersonating Cha\r\nNetwork\r\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n75.2.37[.]224 jre.jdklibraries[.]com\r\nAmazon.com,\r\nInc.\r\n2022-11-16 Chatico C\u0026C server.\r\n104.21.12[.]211\r\ncld.androidadbserver[.]com\r\nadb.androidadbserver[.]com\r\nCloudflare, Inc. 2023‑03‑16 BingeChat C\u0026C servers.\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 9 of 11\n\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n104.21.24[.]109 dev.jdklibraries[.]com Cloudflare, Inc. N/A Chatico C\u0026C server.\r\n104.21.41[.]147 chatico.co[.]uk Cloudflare, Inc. 2021-11-19 Chatico distribution website.\r\n172.67.196[.]90\r\ndev.androidadbserver[.]com\r\nping.androidadbserver[.]com\r\nCloudflare, Inc. 2022-11-16 BingeChat C\u0026C servers.\r\n172.67.203[.]168 bingechat[.]net Cloudflare, Inc. 2022‑08‑18\r\nBingeChat distribution\r\nwebsite.\r\nPaths\r\nData is staged for exfiltration in the following places:\r\n/storage/emulated/0/Android/ebc/oww.log\r\n/storage/emulated/0/Android/ebc/obb.log\r\n/storage/emulated/0/bc/ms.log\r\n/storage/emulated/0/bc/cl.log\r\n/storage/emulated/0/bc/cdcl.log\r\n/storage/emulated/0/bc/cdms.log\r\n/storage/emulated/0/bc/cs.log\r\n/storage/emulated/0/bc/location.log\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 13 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nPersistence\r\nT1398\r\nBoot or Logon\r\nInitialization Scripts\r\nGravityRAT receives the BOOT_COMPLETED broadcast\r\nintent to activate at device startup.\r\nT1624.001\r\nEvent Triggered\r\nExecution:\r\nBroadcast Receivers\r\nGravityRAT functionality is triggered if one of these events\r\noccurs:\r\nUSB_DEVICE_ATTACHED,\r\nACTION_CONNECTION_STATE_CHANGED,\r\nUSER_UNLOCKED,\r\nACTION_POWER_CONNECTED,\r\nACTION_POWER_DISCONNECTED,\r\nAIRPLANE_MODE,\r\nBATTERY_LOW,\r\nBATTERY_OKAY,\r\nDATE_CHANGED,\r\nREBOOT,\r\nTIME_TICK, or\r\nCONNECTIVITY_CHANGE.\r\nDefense\r\nEvasion\r\nT1630.002\r\nIndicator Removal\r\non Host: File\r\nDeletion\r\nGravityRAT removes local files that contain sensitive\r\ninformation exfiltrated from the device.\r\nDiscovery T1420File and Directory\r\nDiscovery\r\nGravityRAT lists available files on external storage.\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 10 of 11\n\nTactic ID Name Description\r\nT1422\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nGravityRAT extracts the IMEI, IMSI, IP address, phone\r\nnumber, and country.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nGravityRAT extracts information about the device, including\r\nSIM serial number, device ID, and common system\r\ninformation.\r\nCollection\r\nT1533\r\nData from Local\r\nSystem\r\nGravityRAT exfiltrates files from the device.\r\nT1430 Location Tracking GravityRAT tracks device location.\r\nT1636.002\r\nProtected User\r\nData: Call Logs\r\nGravityRAT extracts call logs.\r\nT1636.003\r\nProtected User\r\nData: Contact List\r\nGravityRAT extracts the contact list.\r\nT1636.004\r\nProtected User\r\nData: SMS\r\nMessages\r\nGravityRAT extracts SMS messages.\r\nCommand\r\nand Control\r\nT1437.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nGravityRAT uses HTTPS to communicate with its C\u0026C server.\r\nExfiltration T1646\r\nExfiltration Over C2\r\nChannel\r\nGravityRAT exfiltrates data using HTTPS.\r\nImpact T1641 Data Manipulation\r\nGravityRAT removes files with particular extensions from the\r\ndevice, and deletes all user call logs and the contact list.\r\nSource: https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nhttps://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/" ], "report_names": [ "android-gravityrat-goes-after-whatsapp-backups" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434692, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11cc9e68d713c8e37dc1d317d0fdb9d44708c0ae.pdf", "text": "https://archive.orkl.eu/11cc9e68d713c8e37dc1d317d0fdb9d44708c0ae.txt", "img": "https://archive.orkl.eu/11cc9e68d713c8e37dc1d317d0fdb9d44708c0ae.jpg" } }