This Android Malware Is Hacking WhatsApp & Stealing Your Private Pics, Chats, Videos

This Android Malware Is Hacking WhatsApp & Stealing Your Private Pics, Chats, Videos
This Android Malware Is Hacking WhatsApp & Stealing Your Private Pics, Chats, Videos

The cyber theft and fraud does not cease as new malwares get discovered each day!

A new malware called ‘WolfRAT’ is targeting messaging apps, such as WhatsApp, Facebook Messenger and Line on Thai Android devices.

Read to find out more…

How Does the Malware Attack Your WhatsApp, Messenger, Line?

With easy access to the internet, almost every person on this planet uses messaging apps like WhatsApp, Facebook messenger among others. 

The users of these apps are being misled into installing a Trojan on their Android phones that spies on them by collecting photos, videos, messages, and recording audio. 

It targets users of Whatsapp, Facebook Messenger, and Line in the guise of a Google Play or Flash update and gets them to install the trojan on their phones after which it not only collects different types of data but also sends them to the trojan command and control (C2) servers.

Campaigns targeting Thai users and their devices were identified with some of the C2 servers located in Thailand. The C2 server domain names contained Thai food names and  panels contained Thai JavaScript comments. The interesting domain names are used to entice users to click/visit the C2 panels without much disruption.

What is Known of the ‘WolfRAT’?

Cisco Talos, an intelligence team named this Trojan ‘WolfRAT’. According to their research, it is based on a leak of the previously leaked DenDroid malware family. DenDroid’s source code was leaked in 2015 and since then, other malware like WolfRAT have come out to attack unsuspecting users. 

Talos said in a blog post it highly believes that this modified version of the malware is operated by an outfit known as ‘Wolf Research’, appears to be closed ­but rebranded as ‘LokD’, posing an active threat.

In March, PC Risk reported that LokD belongs to the ransomware family called Djvu, which encrypts victim’s files, renames them and creates a ransom note. LokD renames encrypted files by appending the ‘.lokd’ extension to their filenames.

During the VirusBulletin conference in 2018, CSIS researchers Bsenoît Ancel and Aleksejs Kuprins did a presentation on Wolf Research and its offensive arsenal, Talos noted. Ancel and Kuprins mentioned an Android, iOS and Windows remote-access tool (RAT). 

The researchers claim the WolfRAT is very likely being run by Wolf Research, an organisation that used to create interception and espionage-based malware. While the organisation may not be formally active, its members are likely to be functioning. 

Wolf is headquartered in Germany with offices in Cyprus, Bulgaria, Romania, India and (possibly) the U.S. Wolf closed after the CSIS presentation but reemerged based in Cyprus as the aforementioned LokD.

Talos reported the malware is most likely used as an intelligence-gathering tool for actors that can be packaged and sold, based on its tracking of Wolf Research’s past activities. Talos called the actor’s operations were carried out in a ‘lazy manner’. There was a lot of copy/paste from public sources, dead code, unstable code, and open panels etc..  

However, it was also added by them that the ability to gather data from phones is a big win for the operator because people send a lot of sensitive information via messages and are mostly unafraid about their privacy and security. Hence the messaging apps being on their radar.

Comments are closed, but trackbacks and pingbacks are open.

who's online