WolfRAT is a Trojan virus that takes possession of the smartphone and collects the user’s personal data, especially via WhatsApp and Messenger
Researchers from Cisco Talos Security Intelligence and Research Group have uncovered a new dangerous virus, which they have renamed WolfRAT and which especially affects instant messaging apps such as Facebook Messenger, Line and especially WhatsApp. It is not a new virus, but a new version of a known virus: DenDroid.
To be precise, it is a “RAT”, which is a Remote Access Trojan. These viruses take control of infected devices to steal personal data and spy on the user. In this specific case, WolfRAT is a very strange virus, because it seems to be a botched version of DenDroid: in its code, several dead strings (that is, they are useless) and some errors have been found, so much so that the malware is not always effective. However, the virus from which it derives, namely DenDroid, despite dating back to 2015 is still quite elaborate and dangerous. Most importantly, WolfRAT seems to be traceable to a hacker group believed to be disbanded.
WolfRAT: how it works and what you risk
At the moment, the risk of WolfRAT for Italian users is only virtual, because the virus has only been isolated on devices in Thailand, where it was spread (exactly as it was for DenDroid) via fake Chrome, Flash or Play Store update notifications. Once it settles on the device, WolfRAT infects it and starts collecting data such as browser history and call and SMS list. But this is the least of it, because the virus is also able to take control of the camera and microphone and record, when WhatsApp is open, videos of the user’s screen at 50-second intervals. All the collected material is then sent to Command and Control (C2) servers in Thailand. The malware’s Thai origin would also seem to be confirmed by some JavaScript commands written in the Asian country’s language.
Wolf Research is back?
According to Talos researchers, the servers receiving the data stolen by WolfRAT can be traced back to a well-known spyware vendor called Wolf Research, the same one that developed DenDroid five years ago. According to a 2018 VirusTotal report Wolf Research in the past sold malware for remote surveillance of Windows, Android and iOS devices to foreign governments. But Wolf Research is officially closed, as it has been transformed into another company called LokD. Talos’ hypothesis is that there are still ex-Wolf Research people in business, and these characters are taking over DenDroid’s code again to rework it into a new and more powerful virus.