A new Android zero-day exploit, targeting primarily Thai users, has been uncovered by security researchers at Talos Intelligence. Dubbed WolfRAT, the malware is based on the DenDroid family, a remote access trojan uncovered back in 2015. DenDroid’s source code has been publicly available since then, and some newer trojans have attempted to build on its functionality. This family of malware attempts to steal users’ photos, videos, and private conversations, with WolfRAT exhibiting the same malicious functions. WolfRAT tricks users by impersonating a legitimate Google service, with researchers noting that one of its malware packages was named “com.google.services”—generic enough to convince people that it is a necessary system application and must be installed on their devices. “If the user presses the application icon, they will only see generic Google application information injected by the malware authors. This is aimed at ensuring the application is not uninstalled by the victim,” added researchers at Talos Intelligence. Once installed, WolfRAT proceeds to gather device data, record audio, and transfer files to a remote command-and-control center (C2). It’s particularly interested in messenger apps; on WhatsApp, for example, WolfRAT will launch a screen recorder function at preset intervals until the user exits the app.