Heads up Android users! Here is another threat targeting your devices. New malware WolfRAT has surfaced online that targets messenger apps on Android, including Facebook Messenger and WhatsApp.
WolfRAT Malware Targeting Messenger Apps
Researchers from Cisco Talos Intelligence have found this Android malware in the wild, Dubbed WolfRAT, this malware specifically targets messaging apps on Android devices. These apps even include popular apps like Facebook Messenger, WhatsApp, and Line.
Sharing the details in a blog post, the researchers stated that this malware loosely bases on the leaked malware DenDroid. Yet, the malware seems to have gone through various improvements in stages to target the users. As stated by the researchers,
We watched WolfRAT evolve through various iterations which shows that the actor wanted to ensure functional improvements — perhaps they had deadlines to meet for their customers, but with no thought given to removing old code blocks, classes, etc. throughout the Android package.
Briefly, the malware targets messaging and chat apps on Android. To steal data, it begins taking stealthy screenshots of chats whenever such apps are open. This is in contrast with most new malware that exploit Android Accessibility Suite to access data. The screenshots are then uploaded to the C2 server of the malware.
The malware reaches the target device through various malicious and fake updates to otherwise legit apps. For instance, it can mimic the Google Service to trick the user into installing the malware.
Then, it seeks explicit permissions from the victim to run on the device.
The malware will start the main service if all the requested permissions and the device admin privileges are granted. Otherwise, it will launch an
ACTION_APPLICATION_SETTINGSintent trying to trick the user to grant the permissions.
Overall, it has a very basic structure with primitive anti-analysis functionality that only scans for an emulator environment.
Detailed technical analysis of the malware is available in the researchers’ post.
Presently Active In Thailand
Researchers dubbed this new malware as WolfRAT considering the malware’s link with the now-defunct Wolf Research. Although the organization seemingly closed down, with this malware, the researchers believe that the threat actor is still active.
At present, the malware is actively targeting Android users in Thailand, supposedly, as an interception tool. Also, it presently bears a very basic structure. The threat actors have also leveraged open-source platforms for codes and packages.
Nonetheless, the continuous iterations in the malware and the stealthy data exfiltration capabilities hint that the malware may evolve into a serious threat in the future.