Messaging apps users are being tricked into installing a trojan on their Android phones that spies on them by collecting photos, videos, messages, and recording audio. The researchers at Cisco Talos are calling it “WolfRAT”. It targets users of Whatsapp, Facebook Messenger, and Line in the guise of a Google Play or Flash update and gets them to install the trojan on their phones after which it not only collects different types of data but also sends them to the trojan command and control (C2) servers.
Researchers said that WolfRAT, a Remote Access Trojan (RAT), is a modified version of DenDroid, an older malware. DenDroid’s source code was leaked in 2015 and since then, other malware like WolfRAT have come out to attack unsuspecting users. Messaging apps are especially on their radar. The trojan was seen recording the screen when WhatsApp Messenger was being run.
According to researchers, Thai users are being targeted by WolfRAT. Some of the C2 servers are also based in Thailand itself. The C2 server domain names contain Thai food names as well. Moreover, Thai comments were also found on the C2 framework.
The researchers claim the WolfRAT is very likely being run by Wolf Research, an organisation that used to create interception and espionage-based malware. While the organisation may not be formally active, its members are likely to be functioning. This trojan is also possibly performing the role of “an intelligence-gathering tool”.
Additionally, the researchers found that work on the trojan was done in a lazy manner. There was a lot of copy/paste from public sources, dead code, unstable code, and open panels etc. However, it was also added by them that the ability to gather data from phones is a big win for the operator because people send a lot of sensitive information via messages and are mostly unafraid about their privacy and security.