This article was originally published on June 1, 2020.
A new Android zero-day exploit, targeting primarily Thai users, has been uncovered by security researchers at Talos Intelligence.
Dubbed WolfRAT, the malware is based on the DenDroid family, a remote access trojan uncovered back in 2015. DenDroid’s source code has been publicly available since then, and some newer trojans have attempted to build on its functionality. This family of malware attempts to steal users’ photos, videos, and private conversations, with WolfRAT exhibiting the same malicious functions.
WolfRAT tricks users by impersonating a legitimate Google service, with researchers noting that one of its malware packages was named “com.google.services”—generic enough to convince people that it is a necessary system application and must be installed on their devices.
“If the user presses the application icon, they will only see generic Google application information injected by the malware authors. This is aimed at ensuring the application is not uninstalled by the victim,” added researchers at Talos Intelligence.
Once installed, WolfRAT proceeds to gather device data, record audio, and transfer files to a remote command-and-control center (C2). It’s particularly interested in messenger apps; on WhatsApp, for example, WolfRAT will launch a screen recorder function at preset intervals until the user exits the app.
Why is WolfRAT targeting Thailand?
WolfRAT seems to be the work of Wolf Research, a notorious developer of espionage-based malware, publicly uncovered by threat intelligence company CSIS group.
According to research by CSIS group, Wolf Research describes itself as developing “advanced big data systems, cyber security & AI, and data extraction solutions for the government and homeland security sectors.”
In layman’s terms, it develops cyber espionage solutions for governments and national security agencies to snoop on their own citizens.
Wolf Research’s HQ is in Germany, with more offices in Cyprus, Bulgaria, Romania, and India.
After the public reveal by CSIS group, Wolf Research purportedly shut down operations. However, a new shell operation called Lokd Ltd opened up in its place with the same director.
The researchers at Talos Intelligence concluded that WolfRAT, the new malware strain, has many of the same malicious algorithms developed by Wolf Research used in previous attacks. This evidence gives them “high confidence” that Lokd Ltd and Wolf Research are inextricably linked to each other; basically the same company under a different name.
Lokd’s website seems to have been taken down for maintenance since these revelations, but an old press release circulated by the company says it is “a cybersecurity company that provides comprehensive mobile security solution to several industries and organizations most especially for the Military and Corporate parastatals. The cybersecurity company is passionate about delivery [sic] innovative security solutions vital for every organization’s cyber defense strategy.”
What can I do to stay safe?
The malware might be localized in Thailand for now, but there’s nothing stopping it from spreading to other parts of the world. As a first step, be sure to accept update notifications from your antivirus software or any other malware repellent app you have on your phone. As usual, be sure to practice good safety practices such as only downloading software you know and trust and clicking on links sent to you by legitimate users.
Most major malware protection software providers have new patches that should resist WolfRAT, but there’s no such thing as too much security. Be sure to enable automatic updates by default so that you’re never caught off guard.