GravityRat Android Malware

It has been reported that a new variant of 'GravityRat’ Android malware is infecting Android OS for malicious operations. GravityRat targets victims through the BingeChat application, aiming to steal their data, including WhatsApp backup files and other sensitive information.

Infection Mechanism :

The GravityRat malware exfiltrates Whatsapp backups and receives commands to delete files. It is distributed through the messaging app called BingeChat, which is not available on the Play Store. Instead, users download it from a website as a free messaging and sharing app in .apk extension.

Fig.1- Website of the malicious BingeChat [Source: eSeT]

The threat actors identify and target the victims based on factors such as geolocation, IP address, custom URL, etc. and only these victims are given access to download malicious application. While for unintended users, webpage shows the registration error if they try to install that.

Fig.2- access denial to the unintended users [Source: eSeT]

Once the app is launched on a targeted victim's device, it requests permissions to access various features such as location, SMS, Phone, Call Logs, Storage, etc. Subsequently, the user is prompted to log in or sign up for the app. However, GravityRat initiates interaction with the C2 server, exfiltrating sensitive data and awaiting further instructions from the C2 commands.

Fig.3- Permissions requested by the malicious BingeChat [Source: eSeT]

GravityRat steals documents with the following file extensions: pdf, xml, doc, xls, xlsx, ppt, docx, jpg, jpeg, log, png, txt, opus, crypt14, crypt12 and many more. It should be noted that crypt file extensions conform to the Whatsapp messenger backup.

The malware also possesses the ability to execute commands that are received from the C&C server for deleting call logs, files and contacts etc.

Indicator of Compromise:

IP:

• 75.2.37[dot]224
• 104.21.12[dot]211
• 104.21.24[dot]109

SHA 1 Hashes:

• 2B448233E6C9C4594E385E799CEA9EE8C06923BD
• 25715A41250D4B9933E3599881CE020DE7FA6DC3
• 1E03CD512CD75DE896E034289CB2F5A529E4D344

Domains:

• jre.jdklibraries[dot]com
• cld.androidadbserver[dot]com
• adb.androidadbserver[dot]com

For more detailed list of IoC, kindly refer the following URL:

• https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/

Best Practices and Recommendations:

• All users should avoid downloading APKs from outside Google Play and be cautious with risky permission requests while installing any app.
• Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as your device’s manufacturer or operating system app store.
• Prior to downloading / installing apps on android devices (even from Google Play Store):
• Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
• Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
• Do not check "Untrusted Sources" checkbox to install side loaded apps.
• Install Android updates and patches as and when available from Android device vendors.
• Google Play Protect should be enabled on Android device.
• Permissions should also be given carefully.
• Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
• Install and maintain updated anti-virus and antispyware software.
• Do extensive research before clicking on link provided in the message. There are many websites that allow anyone to run search based on a phone number and see any relatable information about whether or not a number is legit.
• Only click on URLs that clearly indicate the website domain. When in doubt, users can search for the organisation's website directly using search engines to ensure that the websites they visited are legitimate.
• Consider using Safe Browsing tools, filtering tools (antivirus and content-based filtering) in your antivirus, firewall, and filtering services.
• Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. Users are advised to hover their cursors over the shortened URLs (if possible) to see the full website domain which they are visiting or use a URL checker that will allow the user to enter a short URL and view the full URL. Users can also use the shortening service preview feature to see a preview of the full URL.
• Look out for valid encryption certificates by checking for the green lock in the browser's address bar, before providing any sensitive information such as personal particulars or account login details.
• Customer should report any unusual activity in their account immediately to the respective bank with the relevant details for taking further appropriate actions.

References:

• https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups
• https://www.bleepingcomputer.com/news/security/android-gravityrat-malware-now-steals-your-whatsapp-backup
• https://thehackernews.com/2023/06/warning-gravityrat-android-trojan.html