WolfRAT is malware based on a leaked version of Dendroid that has primarily targeted Thai users. WolfRAT has most likely been operated by the now defunct organization Wolf Research.[1]

ID: S0489
Platforms: Android
Version: 1.0
Created: 20 July 2020
Last Modified: 11 September 2020

Techniques Used

Domain ID Name Use
Mobile T1517 Access Notifications

WolfRAT can receive system notifications.[1]

Mobile T1429 Audio Capture

WolfRAT can record call audio.[1]

Mobile T1533 Data from Local System

WolfRAT can collect user account, photos, browser history, and arbitrary files.[1]

Mobile T1407 Download New Code at Runtime

WolfRAT can update the running malware.[1]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

WolfRAT can delete files from the device.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

WolfRAT has masqueraded as "Google service", "GooglePlay", and "Flash update".[1]

Mobile T1406 Obfuscated Files or Information

WolfRAT’s code is obfuscated.[1]

Mobile T1424 Process Discovery

WolfRAT uses dumpsys to determine if certain applications are running.[1]

Mobile T1636 .002 Protected User Data: Call Log

WolfRAT can collect the device’s call log.[1]

.003 Protected User Data: Contact List

WolfRAT can collect the device’s contact list.[1]

.004 Protected User Data: SMS Messages

WolfRAT can collect SMS messages.[1]

Mobile T1513 Screen Capture

WolfRAT can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.[1]

Mobile T1582 SMS Control

WolfRAT can delete and send SMS messages.[1]

Mobile T1418 Software Discovery

WolfRAT can obtain a list of installed applications.[1]

Mobile T1422 System Network Configuration Discovery

WolfRAT sends the device’s IMEI with each exfiltration request.[1]

Mobile T1512 Video Capture

WolfRAT can take photos and videos.[1]

Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

WolfRAT can perform primitive emulation checks.[1]