A new Android malware family has been discovered, which targets popular messaging apps like WhatsApp and Facebook Messenger to gather intelligence on Android victims.
The malware, dubbed WolfRAT, is under active development, and was recently identified in campaigns targeting Thai users. Researchers assess with “high confidence” that the malware is operated by Wolf Research, a Germany-based spyware organization that develops and sells espionage-based malware to governments.
“The chat details, WhatsApp records, messengers and SMSs of the world carry some sensitive information and people choose to forget these when communications occur on their phone,” said Warren Mercer, Paul Rascagneres and Vitor Ventura, researchers with Cisco Talos, in a Tuesday analysis. “We see WolfRAT specifically targeting a highly popular encrypted chat app in Asia, Line, which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it’s prying eyes.”
Warren Mercer, technical lead at Cisco Talos, told Threatpost that he believes the infection vector was via phishing/smishing links sent to users devices. Researchers found that the command-and-control (C2) server domain is located in Thailand and contains references to Thai food, giving a clue about what the lure could potentially be.
Once downloaded, WolfRAT poses as legitimate services, such as Google Play apps or Flash updates, by using their icons and package names. These are normally functional packages, with no user interaction needed, Mercer said. For instance, the malware uses a package name (“com.google.services”) to pretend to be a Google Play application.
“The name appears generic enough to make a non-tech savvy user think it is related to Google and is a required part of the Android Operating System. If the user presses the application icon they will only see generic Google application information injected by the malware authors,” Mercer told Threatpost. “This is aimed at ensuring the application is not uninstalled by the victim.”