A new Android malware family has been discovered, which targets popular messaging apps like WhatsApp and Facebook Messenger to gather intelligence on Android victims.
The malware, dubbed WolfRAT, is under active development, and was recently identified in campaigns targeting Thai users. Researchers assess with “high confidence” that the malware is operated by Wolf Research, a Germany-based spyware organization that develops and sells espionage-based malware to governments.
“The chat details, WhatsApp records, messengers and SMSs of the world carry some sensitive information and people choose to forget these when communications occur on their phone,” said Warren Mercer, Paul Rascagneres and Vitor Ventura, researchers with Cisco Talos, in a Tuesday analysis. “We see WolfRAT specifically targeting a highly popular encrypted chat app in Asia, Line, which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it’s prying eyes.”
Warren Mercer, technical lead at Cisco Talos, told Threatpost that he believes the infection vector was via phishing/smishing links sent to users devices. Researchers found that the command-and-control (C2) server domain is located in Thailand and contains references to Thai food, giving a clue about what the lure could potentially be.
The Campaign
Once downloaded, WolfRAT poses as legitimate services, such as Google Play apps or Flash updates, by using their icons and package names. These are normally functional packages, with no user interaction needed, Mercer said. For instance, the malware uses a package name (“com.google.services”) to pretend to be a Google Play application.
“The name appears generic enough to make a non-tech savvy user think it is related to Google and is a required part of the Android Operating System. If the user presses the application icon they will only see generic Google application information injected by the malware authors,” Mercer told Threatpost. “This is aimed at ensuring the application is not uninstalled by the victim.”
Upon further research of WolfRAT itself, researchers found the RAT is based on a previously leaked malware named DenDroid. DenDroid was discovered in 2014 and is a fairly simple Android malware (it doesn’t take advantage of the Android accessibility framework, for instance, as many modern Android malware families do). DenDroid contains espionage-based commands for taking photos and videos, recording audio and uploading pictures.
Researchers identified at least four major releases of the WolfRAT, reflecting that it’s under “intense development.” In terms of timeline, researchers identified samples that show activity from January 2019, however, one of the C2 domains was registered in 2017 (ponethus[.]com), Mercer said.
These versions revealed several capabilities, including a screen-recording feature. During their analysis of the earlier samples, researchers noticed that the feature was never called or used by the malware — however, in later samples the screen recording is started when the RAT determines that WhatsApp is running.
Later versions of the malware also feature various permissions requesting ACCESS_SUPERUSER (deprecated in Android 5.0 onward), and DEVICE_ADMIN privileges (also deprecated, in Android 10), which both are attempted methods of accessing privileged access rights (i.e.; administrative permissions) on the victim’s device. Another permission added, READ_FRAME_BUFFER, is the “most important API used here,” Mercer told Threatpost, as it can be used by an application to obtain screenshots of the current device screen (ie; WhatsApp). Adding onto that capability, later versions of the malware actively search for Facebook Messenger, WhatsApp and Line activities. Once these apps are opened, the malware takes screenshots and uploads them to the C2.
Researchers noted that the constant addition and removal of packages, along with the huge quantity of unused code and usage of deprecated and old techniques, “denotes an amateur development methodology.”
“This actor has shown a surprising level of amateur actions, including code overlaps, open-source project copy/paste, classes never being instanced, unstable packages and panels that are freely open,” they said.
Wolf Research Links
Researchers linked the campaign to Wolf Research after identifying infrastructure overlaps and string references used previously by the group. The organization appears to be shut down, said researchers, but the threat actors are still very active. Researchers believe its operators are continuing to work under the guise of a new organization, called LokD. This new organization proposed the creation of a more secure Android phone, said researchers. Based on the organization’s website, it also proposes services and developed zero-day vulnerabilities to test their own products.
“However, thanks to the infrastructure sharing and forgotten panel names, we assess with high confidence that this actor is still active, it is still developing malware and has been using it from mid-June to today,” said researchers. “On the C2 panel, we found a potential link between Wolf Research and another Cyprus organization named Coralco Tech. This organization is also working on interception technology.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.