WolfRAT is malware based on a leaked version of Dendroid that has primarily targeted Thai users. WolfRAT has most likely been operated by the now defunct organization Wolf Research.[1]

ID: S0489
Platforms: Android
Version: 1.0
Created: 20 July 2020
Last Modified: 11 September 2020

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

WolfRAT can collect the device’s call log.[1]

Mobile T1432 Access Contact List

WolfRAT can collect the device’s contact list.[1]

Mobile T1517 Access Notifications

WolfRAT can receive system notifications.[1]

Mobile T1418 Application Discovery

WolfRAT can obtain a list of installed applications.[1]

Mobile T1429 Capture Audio

WolfRAT can record call audio.[1]

Mobile T1512 Capture Camera

WolfRAT can take photos and videos.[1]

Mobile T1412 Capture SMS Messages

WolfRAT can collect SMS messages.[1]

Mobile T1533 Data from Local System

WolfRAT can collect user account, photos, browser history, and arbitrary files.[1]

Mobile T1447 Delete Device Data

WolfRAT can delete files from the device.[1]

Mobile T1407 Download New Code at Runtime

WolfRAT can update the running malware.[1]

Mobile T1523 Evade Analysis Environment

WolfRAT can perform primitive emulation checks.[1]

Mobile T1444 Masquerade as Legitimate Application

WolfRAT has masqueraded as "Google service", "GooglePlay", and "Flash update".[1]

Mobile T1406 Obfuscated Files or Information

WolfRAT’s code is obfuscated.[1]

Mobile T1424 Process Discovery

WolfRAT uses dumpsys to determine if certain applications are running.[1]

Mobile T1513 Screen Capture

WolfRAT can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.[1]

Mobile T1582 SMS Control

WolfRAT can delete and send SMS messages.[1]

Mobile T1422 System Network Configuration Discovery

WolfRAT sends the device’s IMEI with each exfiltration request.[1]