The new Roaming Mantis malware, discovered by Kaspersky Labs, which infiltrates Android smartphones to steal data and take control of devices, is operating via DNS hijacking.
DNS hijacking is a kind of attack, which hackers use to redirect user queries to a domain name server (DNS), by overriding a device’s TCP/IP settings.
“Basically, DNS is your name to the universe. It’s how people find you,” says Raymond Pompon, a security researcher with F5 networks who has written extensively about DNS and how hackers can maliciously exploit it, told Wired. “If someone goes upstream and inserts false entries that pull people away from you, all the traffic to your website, your email, your services are going to get pointed to a false destination.”
There are two main kinds of DNS hijacking: (i) that which involves infecting devices with malware or DNS Trojan attack software, which prevents devices from translating user friendly domain names to the correct corresponding IP addresses; and (ii) that which involves hacking specific websites and changing their DNS addresses so that visitors end up at completely different sites.
The Roaming Mantis attack involves the first kind of DNS hijacking. Hackers have been infiltrating DNS settings on vulnerable and poorly secured routers, which lets attackers intercept traffic, inject rogue ads on websites, and redirect users to false pages, which aim to trick them into sharing sensitive data, such as login credentials or bank account information.
The new malware campaign has primarily been aimed at users in Asian countries, specifically South Korea, China, Bangladesh and China since February 2018.
Once altered, the fake DNS settings configured by hackers redirect victims to spoofed versions of legitimate websites where a pop-up warning message is displayed, reading “To better experience the browsing, update to the latest chrome version.”
It then downloads the Roaming Mantis malware app. Roaming Mantis then takes permission to collect device account information, manage SMS/MMS and make calls, control external storage, record audio, work with file systems, check packages, draw overlay windows, and more.
The malicious app then overlays all other windows to display a fraudulent warning message: “Account No.exists risks, use after certification.”
Roaming Mantis then opens a spoofed version of Google’s website, which asks users to populate their names and date of births. As the Roaming Mantis malware app has already gained wide-ranging permissions, this final step lets attackers additionally gain access to the secret verification code for the two-factor authentication for victims’ accounts.
DNS hijacking for malicious intent is not new. DNSChanger and Switcher are two recent pieces of malware that primarily worked by modifying the DNS settings of the wireless routers to redirect traffic to fraudulent websites controlled by attackers.