• Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Cyber Threat Defense

Cyber Security News

You are here: Home / Malware / Android Trojan Is Targeting Asia Users

Android Trojan Is Targeting Asia Users

April 20, 2018 By News Team Leave a Comment

Kaspersky Labs has warned of an Android Trojan, dubbed Roaming Mantis, pretending to be a series of popular mobile applications in order to fool victims into installing the Android malware. Its targets are largely Asian users, particularly concentrated in South Korea, China, Bangladesh and Japan. It has been at work over at least the last two months and appears to be propagating via smartphones roaming between Wi-Fi networks.

Part of the attack strategy involves the hijacking of the DNS settings of routers, redirecting users to fake IP addresses, where users are then invited to download spoofed versions of popular applications, and updates for browsers. A pop-up warning message says, “To better experience the browsing, update to the latest chrome version.”

Once the update has been initiated, it then downloads the Roaming Mantis malware app. During installation, Roaming Mantis requests notifications whenever the device is booted, and then takes permission to collect device account information, manage SMS/MMS and make calls, record audio, control external storage, check packages, work with file systems, draw overlay windows, plus additional functions.

Once it has been installed, the Trojan overlays all other windows to display a false warning message (in broken English), which reads “Account No.exists risks, use after certification.”

Roaming Mantis then initiates a local web server to launch the web browser and open a spoofed version of Google’s website, which asks users to populate their names and date of births. Kaspersky writes, “After the user enters their name and date of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit,” researchers said. “Just like the distribution page, the malware supports four locales: Korean, Traditional Chinese, Japanese and English.”

During analysis of the malware code, researchers detected references to popular South Korean mobile banking and gaming applications, such as wooribank.pib.smart, kbstar.kbbank, ibk.neobanking, sc.danb.scbankapp, shinhan.sbanking, hanabank.ebk.channel.android.hananbank, and others. The malware also verifies the presence of the superuser, which indicates whether or not the infected device is rooted.

The malware appears to be receiving code updates regularly, and it includes a feature to communicate with the C&C via email protocols. The researchers detected around 3,000 daily connections to the C&C infrastructure, which suggests a widespread infection campaign.

Roaming Mantis can both steal information from the infected devices, but furthermore give attackers full control over them. Kaspersky recommends that users ensure their router is running the latest version of firmware and your device is protected by a strong password.

Filed Under: Malware Tagged With: Android malware, Android Trojan, Asia, Bangladesh, China, DNS hijacking, fake IP addresses, Japan, Kaspersky Labs, malware app, Roaming Mantis, South Korea

Primary Sidebar

Recent Articles

  • How Profits Inspires Virus Developers
  • What’s Propelling A10 Networks Inc (NYSE: ATEN) After Higher Shorts Reported?
  • FacexWorm Targets Facebook Messenger
  • Cisco Systems Webex Flaws Allows Remote Users To Execute Code
  • Europe sees Radical Drop in DDoS Attacks Since Seizure of Webstresser Site

Categories

  • Application Security
  • Bitcoin
  • Bot Defense
  • Browser Security
  • Business Models
  • Critical infrastructure
  • Cryptocurrencies
  • Cryptojacking
  • Cryptomining
  • Cybercrime
  • cybersecurity
  • Data Breach
  • Data Theft
  • DDoS
  • Endpoint Security
  • Espionage
  • Feature
  • Firewall
  • Fraud
  • Government
  • Hacking
  • Hacking Tools
  • IoT
  • Layer7
  • Leaks
  • Malware
  • Mining
  • Mobile security
  • Point of Sale Devices
  • Quantum Encryption
  • Quantum Security
  • Ransomware
  • Routing
  • Uncategorized
  • Vault7
  • Vault8
  • Vulnerabilities
  • Wikileaks

Secondary Sidebar

Cyber Threat Defense.net | Copyright © 2019 All product names, logos, and brands are property of their respective owners. All company, product and service names used on site are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.