Connect with us

Hi, what are you looking for?

HEADLINES

Kaspersky Lab detects Roaming Mantis attacking smartphones in Asia via DNS hijacking

Between February and April 2018, researchers detected the malware in over 150 user networks, mainly in South Korea, Bangladesh, and Japan, but there are likely to be many more victims. Researchers believe a cybercriminal group looking for financial gain is behind the operation.

Kaspersky Lab researchers discovered a new Android malware distributed through a domain name system (DNS) hijacking technique and targeting smartphones, mostly in Asia. The campaign, dubbed Roaming Mantis remains active and is designed to steal user information including credentials and to provide attackers with full control over the compromised Android device.

Between February and April 2018, researchers detected the malware in over 150 user networks, mainly in South Korea, Bangladesh, and Japan, but there are likely to be many more victims. Researchers believe a cybercriminal group looking for financial gain is behind the operation.

According to Vitaly Kamluk, director of the Global Research Analysis Team (GReAT) – APAC, “The story was recently reported in the Japanese media, but once we did a little more research, we found that the threat does not originate there. In fact, we found a number of clues that the attacker behind this threat speaks either Chinese or Korean. Further, the majority of victims were not located in Japan either. Roaming Mantis seems to be focusing mainly on Korea and Japan appears to have been a kind of collateral damage.”

Kaspersky Lab’s findings indicate that the attackers behind the malware seek out vulnerable routers for compromise, and distribute the malware through a simple yet very effective trick of hijacking the DNS settings of those infected routers. The method of router compromise remains unknown. Once the DNS is successfully hijacked, any attempt by users to access any website leads them to a genuine-looking URL with forged content coming from the attackers’ server. This includes the request: “To better experience the browsing, update to the latest chrome version.” Clicking on the link initiates the installation of a Trojanized application named either ‘facebook.apk’ or ‘chrome.apk’, which contains the attackers’ Android backdoor.

Advertisement. Scroll to continue reading.

The Roaming Mantis malware checks to see if the device is rooted and requests permission to be notified of any communications or browsing activity undertaken by the user.  It is also capable of collecting a wide range of data, including credentials for two-factor authentication. Researchers found that some of the malware code includes references to mobile banking and game application IDs popular in South Korea. Taken together, these indicators suggest a possible financial motive behind this campaign.

While Kaspersky Lab’s detection data uncovered around 150 targets, further analysis also revealed thousands of connections hitting the attackers’ command & control (C2) servers on a daily basis, pointing to a far larger scale of attack.

The design of Roaming Mantis’ malware shows it is intended for wider distribution across Asia. Among other things, it supports four languages: Korean, simplified Chinese, Japanese, and English. However, the artefacts gathered suggest the threat actors behind this attack are familiar mostly with Korean and simplified Chinese.

“Roaming Mantis is an active and rapidly changing threat. This is why we are publishing our findings now, rather than waiting until we have all the answers. There appears to be considerable motivation behind these attacks, and we need to raise awareness so that people and organizations can better recognize the threat. The use of infected routers and hijacked DNS highlights the need for robust device protection and the use of secure connections,” says Suguru Ishimaru, security researcher at Kaspersky Lab Japan.

Kaspersky Lab products detect this threat as ‘Trojan-Banker.AndroidOS.Wroba ’.

Advertisement. Scroll to continue reading.

In order to protect your internet connection from this infection, Kaspersky Lab recommends the following:

  • Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with, or contact your ISP for support.
  • Change the default login and password for the admin web interface of the router.
  • Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.
  • Regularly update your router’s firmware from the official source.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

The campaigns show attackers are capitalizing on people’s increasing familiarity with completing multiple authentication steps online – a trend HP calls ‘click tolerance’. 

White Papers

IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on...

HEADLINES

Kaspersky participated in 95 independent tests and reviews, with its products being awarded first place 91 times and 92 TOP3 finishes, achieving the highest results among...

HEADLINES

‘Wangiri’ originated in Japan in the early 2000’s. The term describes the modus. ‘Wan’ is a play on the word ‘one’ while ‘giri’ means...

HEADLINES

Smart and its value brand TNT do not send text messages with clickable links. If you receive one—even if it looks like it’s from...

White Papers

n the Philippines, industry players are taking a more proactive approach to building a security framework for digital resilience.

HEADLINES

This marks the company’s first participation in the region’s premier tech event, where it will showcase its groundbreaking cybersecurity solutions to industry leaders, innovators,...

HEADLINES

A report found that the primary way attackers gained initial access to networks (56% of all cases across MDR and IR) was by exploiting...

Advertisement