S0489: WolfRAT
Analyst context for executives and security teams
WolfRAT is Android malware, based on leaked Dendroid code, with reporting indicating it primarily targeted Thai users. Its ATT&CK relationships make it material for mobile risk because it combines evasion, runtime code download, device and app discovery, and collection of sensitive mobile data such as audio, video, screen content, notifications, SMS, call logs, contacts, and local files.
Executive priority
Treat WolfRAT as a mobile surveillance and data-exposure planning case rather than just a malware name. Leaders should ask whether Android devices used for business have enforceable app governance, permission monitoring, mobile incident response procedures, and evidence collection for suspicious access to microphone, camera, notifications, SMS, contacts, call logs, local files, and runtime code loading. This matters for executive communications, regulated data handling, identity verification workflows that rely on mobile notifications or SMS, and resilience of bring-your-own-device or managed Android programs.
Technical view
ATT&CK does not provide a detection section for WolfRAT, so validation should be relationship-driven. SOC, mobile security, and IR teams should confirm visibility into Android applications that use obfuscated files, download code after installation, enumerate installed software or running processes, inspect network configuration, access notifications, control or read SMS, access call logs and contacts, collect local files, capture audio/video/screen content, perform system checks suggestive of sandbox or emulator avoidance, delete files, or mimic legitimate names, icons, package names, or locations. Because runtime code download and obfuscation can reduce static-analysis value, teams should validate both pre-install app review and post-install behavioral telemetry.
Likely telemetry
- Android app inventory, package name, application label, icon, install source, and update history
- Requested and granted Android permissions, especially microphone, camera, notification access, SMS, contacts, call log, storage, and administrator-style capabilities where available
- Mobile device management or enterprise mobility management compliance events for managed Android devices
- Mobile threat defense or endpoint telemetry for runtime code loading, dynamic payload retrieval, obfuscated content, and suspicious app behavior
- Network telemetry from mobile devices or secure gateways showing unusual application connections or downloads after installation
Detection direction
- Do not rely only on app-store or static APK scanning; T1407 indicates runtime code download can shift malicious behavior until after installation.
- Prioritize behavior-based detections for unusual combinations of permissions and actions, such as notification access plus SMS access, or microphone/camera access plus network transfer.
- Tune for Android apps whose names, icons, package names, or locations approximate trusted applications, while allowing for legitimate brand or system-app naming to reduce false positives.
- Correlate discovery behaviors such as installed-app enumeration, process discovery, and network configuration checks with later collection behaviors to distinguish ordinary app functionality from suspicious multi-stage behavior.
- Account for false positives from legitimate communications, backup, device-management, accessibility, or security applications that may request broad permissions for valid reasons.
Mitigation priorities
- Enforce Android app governance: restrict untrusted installation sources, maintain approved app lists where practical, and review apps that mimic legitimate names or icons.
- Use managed-device controls where available to limit high-risk permissions and monitor grants for microphone, camera, notification access, SMS, contacts, call logs, and storage.
- Pair static mobile app vetting with behavioral monitoring capable of identifying post-install code downloads and suspicious runtime activity.
- Define mobile IR procedures for isolating a suspected Android device, preserving relevant app, permission, network, and file evidence, and assessing exposure of SMS-based codes, notifications, contacts, call logs, and local files.
- Educate users and support teams to escalate unexpected permission prompts, suspicious SMS activity, missing notifications, or apps that appear to impersonate trusted software.
Analyst notes and limits
The supplied ATT&CK object identifies WolfRAT as Android malware based on a leaked version of Dendroid and notes reporting that it primarily targeted Thai users and was most likely operated by the now defunct Wolf Research organization. The object has no aliases, no explicit tactics listed, and no official detection text. The most useful defensive interpretation comes from the listed technique relationships, which describe evasion, discovery, collection, SMS interaction, file deletion, and impersonation-style behaviors on Android.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish current activity, customer exposure, guaranteed detection, specific indicators, or confirmed attribution beyond the official description. Local device management, mobile telemetry, app inventory, and network evidence are required to determine actual risk and coverage.
WolfRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1422 | System Network Configuration Discovery | WolfRAT sends the device’s IMEI with each exfiltration request.CitationTalos-WolfRAT |
| Mobile | T1636.002 | Call Log Sub-technique | WolfRAT can collect the device’s call log.CitationTalos-WolfRAT |
| Mobile | T1630.002 | File Deletion Sub-technique | WolfRAT can delete files from the device.CitationTalos-WolfRAT |
| Mobile | T1418 | Software Discovery | WolfRAT can obtain a list of installed applications.CitationTalos-WolfRAT |
| Mobile | T1429 | Audio Capture | WolfRAT can record call audio.CitationTalos-WolfRAT |
| Mobile | T1512 | Video Capture | WolfRAT can take photos and videos.CitationTalos-WolfRAT |
| Mobile | T1513 | Screen Capture | WolfRAT can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.CitationTalos-WolfRAT |
| Mobile | T1636.004 | SMS Messages Sub-technique | WolfRAT can collect SMS messages.CitationTalos-WolfRAT |
| Mobile | T1582 | SMS Control | WolfRAT can delete and send SMS messages.CitationTalos-WolfRAT |
| Mobile | T1636.003 | Contact List Sub-technique | WolfRAT can collect the device’s contact list.CitationTalos-WolfRAT |
| Mobile | T1533 | Data from Local System | WolfRAT can collect user account, photos, browser history, and arbitrary files.CitationTalos-WolfRAT |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | WolfRAT has masqueraded as “Google service”, “GooglePlay”, and “Flash update”.CitationTalos-WolfRAT |
| Mobile | T1633.001 | System Checks Sub-technique | WolfRAT can perform primitive emulation checks.CitationTalos-WolfRAT |
| Mobile | T1406 | Obfuscated Files or Information | WolfRAT’s code is obfuscated.CitationTalos-WolfRAT |
| Mobile | T1424 | Process Discovery | WolfRAT uses `dumpsys` to determine if certain applications are running.CitationTalos-WolfRAT |
| Mobile | T1407 | Download New Code at Runtime | WolfRAT can update the running malware.CitationTalos-WolfRAT |
| Mobile | T1517 | Access Notifications | WolfRAT can receive system notifications.CitationTalos-WolfRAT |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 107c5e764828… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos-WolfRAT
W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.
Open source URL -
[2]
mitre-attack S0489Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.