WolfRAT Malware Targets WhatsApp, Facebook Messenger
An Android malware has been found by researchers that targets messaging apps like WhatsApp and Facebook Messenger to scrape information. The malware, called WolfRAT, was found targeting Thai users. Researcher believe the malware is operated by Wolf Research, a Germany-based spyware organization that develops and sells malware to governments.
Chat details in WhatsApp records, messengers and SMSs of the world carry some sensitive information and people forget these can happen on their phone. WolfRAT specifically targets a highly popular encrypted chat app in Asia called Line, which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT.
Once downloaded, WolfRAT acts like a legitimate services, such as Google Play apps or Flash updates, by using their icons and package names. These are normally functional packages, with no user interaction needed. The malware uses a package name com.google.services to fake being a Google Play application. The name appears generic enough to make a non-tech savvy users think it is related to Google. When the user clicks the application icon, they will only see generic Google application information.
Upon further research of WolfRAT, researchers found the RAT is based on a previously leaked malware named DenDroid. DenDroid was discovered in 2014 and is a simple Android malware. DenDroid contains espionage-based commands for taking photos and videos, recording audio and uploading pictures. Later versions of the malware also have various permissions requesting ACCESS_SUPERUSER and DEVICE_ADMIN privileges to access privileged access rights the device. Newer versions of the malware actively search for Facebook Messenger, WhatsApp and Line activities. Once these apps are opened, the malware takes screenshots and uploads them to the C2.
Researchers linked the campaign to Wolf Research after identifying infrastructure overlaps and string references used previously by the group. The organization appears to be shut down. Researchers believe its members are continuing to work under a new organization, called LokD. Based on the organization’s website, it also proposes services and developed zero-day vulnerabilities to test their own products.