Android GravityRAT goes after WhatsApp backups

ESET researchers have identified an updated version of Android GravityRAT spyware being distributed as the messaging apps BingeChat and Chatico. GravityRAT is a remote access tool known to be used since at least 2015 and previously used in targeted attacks against India. Windows, Android, and macOS versions are available, as previously documented by Cisco Talos, Kaspersky, and Cyble. The actor behind GravityRAT remains unknown; we track the group internally as SpaceCobra.

Most likely active since August 2022, the BingeChat campaign is still ongoing; however, the campaign using Chatico is no longer active. BingeChat is distributed through a website advertising free messaging services. Notable in the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files. The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.

Key points of this blogpost:

We discovered a new version of Android GravityRAT spyware being distributed as trojanized versions of the legitimate open-source OMEMO Instant Messenger Android app.
The trojanized BingeChat app is available for download from a website that presents it as a free messaging and file sharing service.
This version of GravityRAT is enhanced with two new capabilities: receiving commands to delete files and exfiltrating WhatsApp backup files.

Campaign overview

We were alerted to this campaign by MalwareHunterTeam, which shared the hash for a GravityRAT sample via a tweet. Based on the name of the APK file, the malicious app is branded as BingeChat and claims to provide messaging functionality. We found the website bingechat[.]net from which this sample might have been downloaded (see Figure 1).

Figure 1. Distribution website of the malicious BingeChat messaging app

The website should provide the malicious app after tapping the DOWNLOAD APP button; however, it requires visitors to log in. We didn’t have credentials, and registrations were closed (see Figure 2). It is most probable that the operators only open registration when they expect a specific victim to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. Therefore, we believe that potential victims are highly targeted.

Figure 2. The service currently doesn’t provide registrations

Although we couldn’t download the BingeChat app via the website, we were able to find a URL on VirusTotal (https://downloads.bingechat[.]net/uploadA/c1d8bad13c5359c97cab280f7b561389153/ that contains the malicious BingeChat Android app. This app has the same hash as the app in the previously mentioned tweet, which means that this URL is a distribution point for this particular GravityRAT sample.

The same domain name is also referenced within the code of the BingeChat app – another hint that bingechat[.]net is used for distribution (see Figure 3).

Figure 3. Distribution domain name referenced in the BingeChat app

The malicious app has never been made available in the Google Play store. It is a trojanized version of the legitimate open-source OMEMO Instant Messenger (IM) Android app, but is branded as BingeChat. OMEMO IM is a rebuild of the Android Jabber client Conversations.

As you can see in Figure 4, the HTML code of the malicious site includes evidence that it was copied from the legitimate site on July 5th, 2022, using the automated tool HTTrack; is a legitimate website that provides WordPress themes for download, but the BingeChat theme seems to no longer be available there. The bingechat[.]net domain was registered on August 18th, 2022.

Figure 4. Log generated by the HTTrack tool and recorded in the malicious distribution website’s HTML code

We do not know how potential victims were lured to, or otherwise discovered, the malicious website. Considering that downloading the app is conditional on having an account and new account registration was not possible for us, we believe that potential victims were specifically targeted. The attack overview scheme is shown in Figure 5.

Figure 5. GravityRAT distribution mechanism


ESET telemetry data has not recorded any victims of this BingeChat campaign, further suggesting that the campaign is probably narrowly targeted. However, our telemetry has one detection of another Android GravityRAT sample in India that occurred in June 2022. In this case, GravityRAT was branded as Chatico (see Figure 6).

Figure 6. The login activity screen of Chatico

Like BingeChat, Chatico is based on the OMEMO Instant Messenger app and trojanized with GravityRAT. Chatico was most likely distributed through the[.]uk website and also communicated with a C&C server. The domains for both the website and C&C server are now offline.

From here on out, we will only focus on the active campaign using the BingeChat app, which has the same malicious functionality as Chatico.


The group behind the malware remains unknown, even though Facebook researchers attribute GravityRAT to a group based in Pakistan, as also previously speculated by Cisco Talos. We track the group internally under the name SpaceCobra, and attribute both the BingeChat and Chatico campaigns to this group.

Typical malicious functionality for GravityRAT is associated with a specific piece of code that, in 2020, was attributed by Kaspersky to a group that uses Windows variants of GravityRAT

In 2021, Cyble published an analysis of another GravityRAT campaign that exhibited the same patterns as BingeChat, such as a similar distribution vector for the trojan masquerading as a legit chat app, which in this case was SoSafe Chat, the use of the open-source OMEMO IM code, and the same malicious functionality. In Figure 6, you can see a comparison of malicious classes between the GravityRAT sample analyzed by Cyble and the new sample contained in BingeChat. Based on this comparison, we can state with high confidence that the malicious code in BingeChat belongs to the GravityRAT malware family

Figure 7. Comparison of the class names for the trojan masquerading as legit SoSafe Chat (left) and BingeChat (right) apps

Technical analysis

After launch, the app requests the user to allow all the necessary permissions to work properly, as shown in Figure 8. Except for permission to read the call logs, the other requested permissions are typical of any messaging application, so the device user might not be alarmed when the app requests them.

Figure 8. Permissions requested by BingeChat

As part of the app’s legitimate functionality, it provides options to create an account and log in. Before the user signs into the app, GravityRAT starts to interact with its C&C server, exfiltrating the device user’s data and waiting for commands to execute. GravityRAT is capable of exfiltrating:

call logs
contact list
SMS messages
files with specific extensions: jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, crypt32
device location
basic device information

Data to be exfiltrated is stored in text files on external media, then exfiltrated to the C&C server, and finally removed. The file paths for the staged data are listed in Figure 9.

Figure 9. File paths to data staged for exfiltration

This version of GravityRAT has two small updates compared to previous, publicly known versions of GravityRAT. First, it extends the list of files to exfiltrate to those with the crypt14, crypt12, crypt13, crypt18, and crypt32 extensions. These crypt files are encrypted backups created by WhatsApp Messenger. Second, it can receive three commands from a C&C server to execute:

DeleteAllFiles – deletes files with a particular extension, exfiltrated from the device
DeleteAllContacts – deletes contact list
DeleteAllCallLogs – deletes call logs

These are very specific commands that are not typically seen in Android malware. Previous versions of Android GravityRAT could not receive commands at all; they could only upload exfiltrated data to a C&C server at a particular time.

GravityRAT contains two hardcoded C&C subdomains shown in Figure 10; however, it is coded to use only the first one (https://dev.androidadbserver[.]com).

Figure 10. Hardcoded initial C&C servers

This C&C server is contacted to register a new compromised device, and to retrieve two additional C&C addresses: https://cld.androidadbserver[.]com and https://ping.androidadbserver[.]com when we tested it, as shown in Figure 11.

Figure 11. C&C communication to register a new device

Again, only the first C&C server is used, this time to upload the device user’s data, as seen in Figure 12.

Figure 12. Victim data exfiltration to C&C server


Known to have been active since at least 2015, SpaceCobra has resuscitated GravityRAT to include expanded functionalities to exfiltrate WhatsApp Messenger backups and receive commands from a C&C server to delete files. Just as before, this campaign employs messaging apps as a cover to distribute the GravityRAT backdoor. The group behind the malware uses legitimate OMEMO IM code to provide the chat functionality for the malicious messaging apps BingeChat and Chatico.

According to ESET telemetry, a user in India was targeted by the updated Chatico version of the RAT, similar to previously documented SpaceCobra campaigns. The BingeChat version is distributed through a website that requires registration, likely open only when the attackers expect specific victims to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. In any case, we believe the campaign is highly targeted.



Package name
ESET detection name
GravityRAT impersonating BingeChat app.
GravityRAT impersonating BingeChat app.
GravityRAT impersonating Chatico app.


Hosting provider
First seen
jre.jdklibraries[.]com, Inc.
Chatico C&C server.
Cloudflare, Inc.
BingeChat C&C servers.
Cloudflare, Inc.
Chatico C&C server.
Cloudflare, Inc.
Chatico distribution website.
Cloudflare, Inc.
BingeChat C&C servers.
Cloudflare, Inc.
BingeChat distribution website.


Data is staged for exfiltration in the following places:


MITRE ATT&CK techniques

This table was built using version 13 of the MITRE ATT&CK framework.

Boot or Logon Initialization Scripts
GravityRAT receives the BOOT_COMPLETED broadcast intent to activate at device startup.
Event Triggered Execution: Broadcast Receivers
Defense Evasion
Indicator Removal on Host: File Deletion
GravityRAT removes local files that contain sensitive information exfiltrated from the device.
File and Directory Discovery
GravityRAT lists available files on external storage.
System Network Configuration Discovery
GravityRAT extracts the IMEI, IMSI, IP address, phone number, and country.
System Information Discovery
GravityRAT extracts information about the device, including SIM serial number, device ID, and common system information.
Data from Local System
GravityRAT exfiltrates files from the device.
Location Tracking
GravityRAT tracks device location.
Protected User Data: Call Logs
GravityRAT extracts call logs.
Protected User Data: Contact List
GravityRAT extracts the contact list.
Protected User Data: SMS Messages
GravityRAT extracts SMS messages.
Command and Control
Application Layer Protocol: Web Protocols
GravityRAT uses HTTPS to communicate with its C&C server.
Exfiltration Over C2 Channel
GravityRAT exfiltrates data using HTTPS.
Data Manipulation
GravityRAT removes files with particular extensions from the device, and deletes all user call logs and the contact list.

Latest Posts