Kaspersky Labs has warned of an Android Trojan, dubbed Roaming Mantis, pretending to be a series of popular mobile applications in order to fool victims into installing the Android malware. Its targets are largely Asian users, particularly concentrated in South Korea, China, Bangladesh and Japan. It has been at work over at least the last two months and appears to be propagating via smartphones roaming between Wi-Fi networks.
Part of the attack strategy involves the hijacking of the DNS settings of routers, redirecting users to fake IP addresses, where users are then invited to download spoofed versions of popular applications, and updates for browsers. A pop-up warning message says, “To better experience the browsing, update to the latest chrome version.”
Once the update has been initiated, it then downloads the Roaming Mantis malware app. During installation, Roaming Mantis requests notifications whenever the device is booted, and then takes permission to collect device account information, manage SMS/MMS and make calls, record audio, control external storage, check packages, work with file systems, draw overlay windows, plus additional functions.
Once it has been installed, the Trojan overlays all other windows to display a false warning message (in broken English), which reads “Account No.exists risks, use after certification.”
Roaming Mantis then initiates a local web server to launch the web browser and open a spoofed version of Google’s website, which asks users to populate their names and date of births. Kaspersky writes, “After the user enters their name and date of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit,” researchers said. “Just like the distribution page, the malware supports four locales: Korean, Traditional Chinese, Japanese and English.”
During analysis of the malware code, researchers detected references to popular South Korean mobile banking and gaming applications, such as wooribank.pib.smart, kbstar.kbbank, ibk.neobanking, sc.danb.scbankapp, shinhan.sbanking, hanabank.ebk.channel.android.hananbank, and others. The malware also verifies the presence of the superuser, which indicates whether or not the infected device is rooted.
The malware appears to be receiving code updates regularly, and it includes a feature to communicate with the C&C via email protocols. The researchers detected around 3,000 daily connections to the C&C infrastructure, which suggests a widespread infection campaign.
Roaming Mantis can both steal information from the infected devices, but furthermore give attackers full control over them. Kaspersky recommends that users ensure their router is running the latest version of firmware and your device is protected by a strong password.