Users of messaging apps are being tricked into installing a trojan on their Android phones that spies on them by gathering photos, videos, messages, and audio recordings. Cisco Talos researchers call it “WolfRAT”. It targets Whatsapp, Facebook Messenger, and Line users in the guise of a Google Play or Flash update and gets them to install the trojan on their phones after which it not only collects various data types but also sends them to the servers of Trojan command and control (C2).
Researchers said WolfRAT, a Remote Access Trojan (RAT), is a modified version of the older malware, DenDroid. DenDroid’s source code was leaked in 2015 and other malware such as WolfRAT has come out to attack unsuspecting users since. The Messaging apps are on their radar in particular. When WhatsApp Messenger was running, the trojan was seen recording the screen.
According to researchers, WolfRAT targets Thai consumers. Some of the C2 servers are also based themselves in Thailand. The domain names on the C2 server also include the Thai food names. In addition, Thai comments have also been found on the C2 framework.
Wolf Research, an agency that used to build surveillance and spy-based malware, is very likely to operate the WolfRAT. While the company may not be officially operating, its leaders will certainly be employed. This trojan can also play the role of “a tool for gathering intelligence.”
Furthermore, the researchers found that work on the trojan was conducted lazily. There was a lot of public source copy/paste, dead code, broken code, and open panels, etc. However, they have also added that the ability to collect data from telephones is a major win for the operator as people send a lot of confidential information via messages and are often not afraid of their privacy and protection.