Tool targeting Android users in Thailand looks to be work of sloppy spyware startup

A remote access trojan linked with spyware firm Wolf Research is targeting Thai Android users, Cisco Talos found.
the software pulls information from Facebook Messenger, WhatsApp, and Line, an end-to-end encrypted messaging application that's popular in Asia. (Flickr user <a href="">StevenW</a> / CC-BY-2.0)

A software surveillance tool that appears to be linked to a spyware company notorious for shoddy exploits has been spying on WhatsApp and Facebook messages of Android users in Thailand, according to new Cisco Talos research published Tuesday.

The malware, which Talos dubs “WolfRAT,” searches for activity on the victims’ chat applications so it can record activity on the screen, according to Talos. The surveillance tool is also capable of intercepting SMS messages, collecting contact information and browser history, taking photos, recording audio, and stealing users’ pictures, Talos researchers told CyberScoop.

The tool, which Talos observed being used as recently as April, is believed to be attached to Wolf Research, a startup that was shut down once its work was exposed in a talk at the 2018 VirusBulletin Conference.

Targets may be downloading WolfRAT after visiting websites with domain names linked to popular Thai cuisine, according to Talos. Victims may also have downloaded the Android malware through what looks like legitimate services like Google Play or Adobe Flash, but which are actually laced with the malicious software.


“It is a diversionary tactic that this actor has used to try to ensure the defender finds it more difficult to ascertain if this is malicious or not,” Warren Mercer, a technical lead at Cisco Talos, told CyberScoop. “[It is also used to] try to entice a user to click on it because they feel comfortable with something they know.”

Once on a device, the software pulls information from Facebook Messenger, WhatsApp, and Line, an end-to-end encrypted messaging application that’s popular in Asia.

Despite the belief that Wolf Research has shut down, Talos found evidence that this campaign overlaps with the company’s previously-used infrastructure. WolfRAT uses old command-and-control servers that Wolf Research used, for instance. Additionally, some of the panels on the attacker-controlled server contain windows with “Wolf Intelligence” in the title.

Victims targeted by Wolf Research products in the past have included people in Egypt, Saudi Arabia, and Turkey, as well as at least one human rights defender, according to victim data that leaked from the company in 2018. The company has also tried to sell surveillance and hacking technology to Mauritania, according to Vice’s Motherboard.

Talos does not attribute the use of WolfRAT to any particular actor. Many surveillance software companies, such as NSO Group, frequently claim they sell their products to governments for the express purpose of targeting terrorism or child abusers. Security researchers and human rights organizations claim many of these kinds of surveillance products target human rights defenders or journalists.


Further ties to Wolf

Since the 2018 VirusBulletin presentation outed Wolf Research, the people behind the firm appear to have started a new firm called LokD. The current director, Manish Kumar, founded Wolf Intelligence.

LokD claims to develop zero-day exploits and sell phones that are “unhackable,” according to its website. The company, which also says it works on mobile app security, claims to have locations in the U.S., U.K., Germany, Switzerland, and Cyprus.

LokD did not immediately return request for comment.

Amateur hour


When it was in business, Wolf Research was notorious for its slip-ups and amateur code. In 2018, the spyware company appeared to have left approximately 20 gigabytes of its own data exposed online, including information on customers and founders, recordings of meetings, and data on the company’s hacking targets.

The actors who created WolfRAT appeared to be sloppy in their development practices, Mercer told CyberScoop.

“They didn’t really have any desire or care about how they refactored their code or built their malware at all,” Mercer told CyberScoop. “They’ve taken DenDroid, repurposed it with a new feature or functionality and screen recording, but they haven’t removed unused … functionality so that they, to us, basically scream amateur.”

Over the course the campaign, WolfRAT developers used unstable code, and in some cases, anti-analysis features that were not obfuscated in any way, according to Talos.

“We watched WolfRAT evolve through various iterations which shows that the actor wanted to ensure functional improvements — perhaps they had deadlines to meet for their customers, but with no thought given to removing old code,” the researchers said in a blog post on the matter. “This malware is simplistic in comparison to some modern-day Android malware.”


Nonetheless, the product is intrusive and aimed at gathering sensitive information, according to Talos.

“The ability to carry out these types of intelligence-gathering activities on phones represents a huge score for the operator,” Talos researchers write. “The chat details, WhatsApp records, messengers and SMSs of the world carry some sensitive information and people choose to forget these when communications occur on their phone.”

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts