WolfRAT targets WhatsApp, Facebook Messenger app users on Android devices

Updated: The new malware is unstable and appears to be a slapdash effort based on leaked DenDroid code.

In Thailand, a new version of and old Trojan is targeting messaging apps on Adroid phones
0:47

A new Trojan has been caught targeting Thai users of Whatsapp, Facebook Messenger, and Line messaging apps on the Android mobile platform. 

On Tuesday, Cisco Talos researchers said the malware, dubbed WolfRAT, is a new variant of DenDroid, a mobile Remote Access Trojan (RAT) that had its source code leaked in 2015. 

At the time, DenDroid was considered a sophisticated malware package that was on offer in underground forums with a price tag of $300. However, since its leak, variants have appeared that utilize the code -- but not necessarily improved upon it. 

WolfRAT begins its infection chain through fake update lures abusing legitimate services including Flash and Google Play. If a victim falls for this ploy, the RAT will install itself on the target Android device and performs spying functions, including gathering device data, taking photos and video, compromising SMS messaging, recording audio, and both stealing and transferring files to a C2. 

Messenger apps, in particular, are targeted, due to content exfiltrating functions alongside the theft of browser histories. When WhatsApp is in use, for example, the malware launches a screen recorder function at 50-second intervals which will only stop when the app is closed.

Some C2s are located in Thailand and the domains used reference Thai food. JavaScript commands written in Thai have also been found. 

TechRepublic: Average US citizen had personal information stolen at least 4 times in 2019

According to Talos researchers Warren Mercer, Paul Rascagneres, and Vitor Ventura, WolfRAT is likely the work of spyware seller Wolf Research. VirusTotal said in 2018 that the organization sold surveillance technology to governments and its solutions would infect Windows, iOS, and Android machines by way of fake Google Chrome Update notifications. 

See also: COVID-19 blamed for 238% surge in cyberattacks against banks

The command-and-control (C2) servers referenced by WolfRAT forged the connection to the group and its previous work. 

While Wolf Research appears to be formally closed -- having rebranded as LokD -- there may still be active members. 

"Thanks to the infrastructure sharing and forgotten panel names, we assess with high confidence that this actor is still active, it is still developing malware and has been using it [...] to today," the team says. 

However, the researchers added that the Trojan has "amateur" features, including overlaps in code, dead code, unused features, failures to manage and instance classes properly, unstable packages, open panels, and the lazy copy-and-paste usage of existing open source software. 

Talos said the lack of sophistication -- especially if linked to Wolf Research -- is at a "surprising" level.  

CNET: That old Android phone might not be safe to use: 6 things to consider

Talos says the malware is under constant development and it may be the case that meeting the expectations of customers has resulted in rushed jobs, in which old code and redundant functions are ignored. 

"Wolf Research claimed to shut down their operations but we clearly see that their previous work continues under a guise," the researchers commented. "The ability to carry out these types of intelligence-gathering activities on phones represents a huge score for the operator. The chat details, WhatsApp records, messengers, and SMSs of the world carry some sensitive information and people choose to forget these when communications occur on their phone."

Update: The name of another company referenced by Cisco Talos in the report has been removed due to a lack of clarity surrounding an alleged link. ZDNet has requested further details.  

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0