Security pros at Cisco Talos discovered a new malware targeting messaging apps like WhatsApp, Line, and Facebook Messenger on Android devices. The malware, codenamed “WolfRAT”, was recently discovered in espionage campaigns affecting users in Thailand.
The researchers stated that WolfRAT malware is operated by Wolf Research crew, a Germany-based spyware organization that sells espionage-based malware to governments. It also found that WolfRAT is a modified version of the “DenDroid” malware family. According to Cisco Talos, DenDroid is an Android malware discovered in 2014, containing espionage-based commands for stealing photos, videos, and audio files.
“The chat details, WhatsApp records, messengers and SMSs of the world carry some sensitive information and people choose to forget these when communications occur on their phone. We see WolfRAT specifically targeting Line, a highly popular encrypted chat app in Asia, which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it’s prying eyes,” researchers said in a statement.
The Infection Vector
According to researchers, the infection vector of WolfRAT malware is via phishing or smishing links sent to users’ devices. It is found that the command-and-control (C2) server domain is hosted in Thailand and contains references to Thai food, aimed at tricking users to click on those links. Once downloaded, WolfRAT operates in stealth mode by using legitimate apps icons and package names. The malware uses a package named as “com.google.services” to pretend to be a Google Play application, the researchers said.
“The name appears generic enough to make a non-tech savvy user think it is related to Google and is a required part of the Android Operating System. If the user presses the application icon, they will only see generic Google application information injected by the malware authors. This is aimed at ensuring the application is not uninstalled by the victim,” the researchers added.
Malware Attacks on Android Devices
In a similar discovery, security researchers from Kaspersky Lab found threat actors exploiting the Google Play Store for years to distribute advanced Android malware to steal a wide range of sensitive data from users. According to the researchers, a malicious campaign named “PhantomLance” has been targeting Android devices with malware and spyware payloads embedded in applications delivered via multiple platforms including Google’s Play Store and other Android app stores like APKpure and APKCombo.