A study from Cisco Talos has revealed a new Android malware targeting WhatsApp, Facebook Messenger and Line Messenger. The new malware is based on the DenDroid Android malware family and currently effective against Android smartphone users' across Thailand. Noticing the strong influence of an interception and espionage malware author Wolf Research, security researchers at Cisco Talos have named the malware WolfRAT.
How WolfRAT Works
The WolfRAT malware tricks its victims by impersonating as a legitimate Android app such as Google Play App Store, Google Service, or Flash update. The Remote Access Trojan malware could be used for spying on the victim by collecting sensitive data from the victims' devices.
The researchers claimed that post-installation, the WolfRAT malware can record sensitive user data like SMS and can also record data from a variety of instant messengers services such as WhatsApp, Line, and Facebook Messenger and send it back to its Command-and-Control (C2) server. It can also take photos and videos, tap the microphone to record audio, and collect device information.
The prime target of WolfRAT malware is instant messenger apps. For instance, the Trojan would initiate a screen recorder after every 50 seconds to record the entire conversation in WhatsApp. The recorder would stop after the victim closes the WhatsApp messenger.
Active in Thailand
The Talos researchers have found the C2 communication server where the malware sends victims' data is located in Thailand. Interestingly, they have also found some comments in the C2 code written in the Thai language. But the most exciting part of the malware is how the malware authors have used several popular Thai cuisine names in the kill chain.
For instance, the domain name of the malware C2 server is inspired by famous Thai cuisines such as Nam Phrik Num (Nampriknum.net), and the famous papaya chili salad Som Tum (Somtum.today).
Old Wine in a New Bottle
The WolfRAT Android malware is purely based on an old Android malware called DenDroid. DenDroid malware was reportedly analyzed by many cybersecurity researchers back in 2014. The source code of the malware was published on the GitHub website in 2015.
Researchers claim the WolfRAT is not as complex as the modern-day Android malware and doesn't exploit the commonly used accessibility framework to retrieve non-rooted device information.
The Talos researchers have claimed the app lacks sophistication in the way it operates and executes. They have found several lines of dead codes and unused features.