Users of messaging apps are being tricked into installing a trojan on their Android phones that spies on them by gathering photos , videos, messages and audio recording. Cisco Talos researchers call it "WolfRAT" It targets Whatsapp, Facebook Messenger, and Line users in the guise of a Google Play or Flash update and gets them to install the trojan on their phones after which it not only collects various data types but also sends them to the servers of Trojan command and control (C2).
Researchers said WolfRAT, a Remote Access Trojan (RAT), is a modified version of the older malware, DenDroid.
The source code of DenDroid was leaked in 2015, and since then, other malware like WolfRAT has come out to target unsuspecting users. In particular, the messaging apps are on their radar. The Trojan was seen capturing the screen while WhatsApp Messenger was running.
According to researchers, Thai users are targeted by WolfRAT. Some of the C2 servers are also based in Thailand. The C2 server domain names also include Thai food names. In addition, Thai comments on the C2 system were also found.
Researchers argue that WolfRAT is very likely to be run by Wolf Research, an organization that used interception and espionage-based malware. While the organization may not be formally active, its members are likely to be active. This Trojan might also play the role of "an intelligence-gathering tool."
There was a lot of copy / paste from public sources, dead code, insecure code, open tables, etc. They also added, however, that the ability to collect data from phones is a big advantage for the operator, as people send a lot of confidential information via messages, and they are often unafraid about their privacy and protection.