WolfRAT Android Malware Targeting WhatsApp, Facebook Messenger Users : Cisco Researchers
Messaging apps users are being tricked into installing a Trojan on their Android phones that spies on them by collecting photos, videos, messages, and recording audio. The researchers at Cisco Talos are calling it “WolfRAT”. It targets users of Whatsapp, Facebook Messenger, and Line in the guise of a Google Play or Flash update and gets them to install the trojan on their phones after which it not only collects different types of data but also sends them to the Trojan command and control (C2) servers.
WolfRAT : The malware is developed from the dead codes of the Trojan , the public source codes , unstable codes. The malware is the version on Trojan virus.which helps attacker to steals the users private data from text files to photos and videos.
Cisco has founded this malware and named as wolfrat cause it is inserted indivisibly in the victims application.
What is Trojan ? --> One form of Trojan malware has targeted Android devices specifically. Called Switcher Trojan, it infects users' devices to attack the routers on their wireless networks. The result? Cybercriminals could redirect traffic on the Wi-Fi-connected devices and use it to commit various crimes.
Researchers said that WolfRAT, a Remote Access Trojan (RAT), is a modified version of DenDroid, an older malware. DenDroid’s source code was leaked in 2015 and since then, other malware like WolfRAT have come out to attack unsuspecting users. Messaging apps are especially on their radar. The Trojan was seen recording the screen when WhatsApp Messenger was being run.
According to researchers, Thai users are being targeted by WolfRAT. Some of the C2 servers are also based in Thailand itself. The C2 server domain names contain Thai food names as well. Moreover, Thai comments were also found on the C2 framework.
The researchers claim the WolfRAT is very likely being run by Wolf Research, an organisation that used to create interception and espionage-based malware. While the organisation may not be formally active, its members are likely to be functioning. This trojan is also possibly performing the role of “an intelligence-gathering tool”.
Additionally, the researchers found that work on the trojan was done in a lazy manner. There was a lot of copy/paste from public sources, dead code, unstable code, and open panels etc. However, it was also added by them that the ability to gather data from phones is a big win for the operator because people send a lot of sensitive information via messages and are mostly unafraid about their privacy and security.