On 16 April, Kaspersky Lab researchers reported on a new Android malware distributed through a domain name system (DNS) hijacking technique and targeting mainly smartphones in Asia. Four weeks on, the threat continues to evolve rapidly and has now extended its target geography to include Europe and the Middle East, adding a phishing option for iOS devices and PC crypto-mining capability.

 

The campaign, dubbed Roaming Mantis, is designed mainly to steal user information including credentials and to provide attackers with full control over the compromised device. The researchers believe a Korean or Chinese-speaking cybercriminal group looking for financial gain is behind the operation.

 

Method of attack
Kaspersky Lab’s findings indicate that the attackers behind Roaming Mantis seek out vulnerable routers for compromise, and distribute the malware through a simple yet very effective trick of hijacking the DNS settings of those infected routers. The method of router compromise remains unknown.

 

Once the DNS is successfully hijacked, any attempt by users to access any website leads them to a genuine-looking URL with forged content coming from the attackers’ server. This includes the request: “To better experience the browsing, update to the latest chrome version.” Clicking on the link initiates the installation of a Trojanized application named either ‘facebook.apk’ or ‘chrome.apk’, which contains the attackers’ Android backdoor.

 

The Roaming Mantis malware checks to see if the device is rooted and requests permission to be notified of any communications or browsing activity undertaken by the user. It is also capable of collecting a wide range of data, including credentials for two-factor authentication.

 

Their interest in this and the fact that some of the malware code includes references to mobile banking and game application IDs popular in South Korea suggest a possible financial motive behind this campaign.

 

Expanded target geography and features

 

Kaspersky Lab’s initial research uncovered around 150 targets, mainly in South Korea, Bangladesh, and Japan, but it also revealed thousands of connections hitting the attackers’ command & control (C2) servers on a daily basis, pointing to a far larger scale of attack. The malware included support for four languages: Korean, simplified Chinese, Japanese, and English.

 

The attack range has now been extended, supporting 27 languages in all, including Filipino, Polish, German, Arabic, Bulgarian and Russian. The attackers have also introduced a redirection to Apple-themed phishing pages if the malware encounters an iOS device.

 

The latest addition to the arsenal is a malicious website with PC crypto-mining capability. Kaspersky Lab’s observations suggest that at least one wave of wider attacks has taken place, with researchers noting over 100 targets among Kaspersky Lab customers within a few days.

 

When we first reported on Roaming Mantis in April we said that it was an active and rapidly changing threat. New evidence shows a dramatic expansion in target geography to include Europe and the Middle East, and more. We believe the attackers are cybercriminals looking for financial gain and have found a number of clues to suggest that the attackers speak either Chinese or Korean. There is clearly considerable motivation behind this threat, so it is unlikely to diminish any time soon. The use of infected routers and hijacked DNS highlights the need for robust device protection and the use of secure connections,” says Suguru Ishimaru, Security Researcher at Kaspersky Lab Japan.

 

Kaspersky Lab products detect the Roaming Mantis threat as ‘Trojan-Banker.AndroidOS.

 

In order to protect your internet connection from this infection, Kaspersky Lab recommends the following:

  • Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with, or contact your ISP for support.
  • Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.
  •  Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.
  • Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.
  • Consider installing a mobile security solution, such as Kaspersky Internet Security for Android, to protect your devices from these and other threats.

 

For more information on Roaming Mantis and technical information, please read the blogpost on Securelist.


RECOMMENDED ARTICLE FOR TECHWORLD


 
Ensuring Cybersecurity in Today’s Growing Sharing Economy
Techworld Date Posted: 16 September 2017 9:58 AM | 198 Views
Improving telecom infrastructures, broader data services and an increasingly tech-savvy population make the Philippines one of the most robust mobile markets in Asia. The country's digital ecosystem will continue to expand, thanks to a.... See More
 
Ensuring Cybersecurity in Today’s Growing Sharing Economy
Techworld Date Posted: 9:58 AM | 198 Views
Improving telecom infrastructures, broader data services and an increasingly tech-savvy population make the Philippines one of the most robust mobile markets in Asia. The country's digital ecosystem will continue to expand, thanks to a...See More

 
Post Malone Joins HyperX Family
Techworld Date Posted: 26 October 2018 4:21 PM | 55 Views
HyperX, the gaming division of Kingston Technology Company, Inc. has announced the signing of Post Malone, an award-winning global superstar, as a HyperX Gaming Brand Ambassador. An avid Call of Duty console gamer,. See More
 
Post Malone Joins HyperX Family
Techworld Date Posted: 4:21 PM | 55 Views
HyperX, the gaming division of Kingston Technology Company, Inc. has announced the signing of Post Malone, an award-winning global superstar, as a HyperX Gaming Brand Ambassador. An avid Call of Duty console gamer,See More

 
Heat Up Summer with the Latest Nokia Smartphone Promos
Techworld Date Posted: 5 April 2018 5:01 PM | 555 Views
Charge up the vacation season with the hottest and freshest deals this month for Nokia smartphones on Android from HMD Global, the home of Nokia phones. From April 1 to 30, enjoy P500 off.... See More
 
Heat Up Summer with the Latest Nokia Smartphone Promos
Techworld Date Posted: 5:01 PM | 555 Views
Charge up the vacation season with the hottest and freshest deals this month for Nokia smartphones on Android from HMD Global, the home of Nokia phones. From April 1 to 30, enjoy P500 off...See More

 
Nokia 3310 Celebrates 18th Birthday with Price Blowout
Techworld Date Posted: 31 August 2018 4:58 PM | 66 Views
HMD Global, the home of Nokia phones, celebrates years of reliable mobile experience with Nokia 3310’s 18th birthday on September 1.. See More
 
Nokia 3310 Celebrates 18th Birthday with Price Blowout
Techworld Date Posted: 4:58 PM | 66 Views
HMD Global, the home of Nokia phones, celebrates years of reliable mobile experience with Nokia 3310’s 18th birthday on September 1.See More

 
Nokia 7 plus Is Now Out in Philippine Market
Techworld Date Posted: 3 May 2018 3:55 PM | 243 Views
HMD, the home of Nokia phones, is happy to bring you the latest news everyone has been waiting for. The flagship hero without the flagship price tag, the Nokia 7 plus, is now officially.... See More
 
Nokia 7 plus Is Now Out in Philippine Market
Techworld Date Posted: 3:55 PM | 243 Views
HMD, the home of Nokia phones, is happy to bring you the latest news everyone has been waiting for. The flagship hero without the flagship price tag, the Nokia 7 plus, is now officially...See More

 
Lenovo Bolsters Its Legion Line-Up, Launches New Gaming PCs at Gamescom 2017
Techworld Date Posted: 29 August 2017 3:53 PM | 251 Views
At gamescom2017 in Cologne, Germany, leading global technology brand Lenovo launched four new powerful additions to its Legion gaming lineup family - three VR-ready Windows 10 PCs Lenovo Legion Y920, Y720 and Y520 Towers,.... See More
 
Lenovo Bolsters Its Legion Line-Up, Launches New Gaming PCs at Gamescom 2017
Techworld Date Posted: 3:53 PM | 251 Views
At gamescom2017 in Cologne, Germany, leading global technology brand Lenovo launched four new powerful additions to its Legion gaming lineup family - three VR-ready Windows 10 PCs Lenovo Legion Y920, Y720 and Y520 Towers,...See More

Rhea Sanvictores
Earmark That Irresistible Yearn for the Zen
Techworld • By: Rhea Sanvictores | Date Posted: 20 March 2017 2:24 PM | 742 Views
Tech experts and various computer enthusiasts, from what it seems to be an uncontested case, are blown away by AMD’ next-generation processor.. See More
Rhea Sanvictores
Earmark That Irresistible Yearn for the Zen
Techworld • By: Rhea Sanvictores | Date Posted: 2:24 PM | 742 Views
Tech experts and various computer enthusiasts, from what it seems to be an uncontested case, are blown away by AMD’ next-generation processor.See More

 
Watch and Enjoy The International Pubstomp 2017 the right Way
Techworld Date Posted: 10 August 2017 2:28 PM | 189 Views
   – Join MSI Gaming as they bring you #TI7 Viewing Party at Club Nix05 from 10pm of Saturday, August 12th, until Sunday dawn!   Gain EXCLUSIVE access to Official TI7 Merchandise available.... See More
 
Watch and Enjoy The International Pubstomp 2017 the right Way
Techworld Date Posted: 2:28 PM | 189 Views
   – Join MSI Gaming as they bring you #TI7 Viewing Party at Club Nix05 from 10pm of Saturday, August 12th, until Sunday dawn!   Gain EXCLUSIVE access to Official TI7 Merchandise available...See More

 
Mine a Million Kaspersky Lab Identifies Sophisticated Hacker Group Earning Millions through Mining Malware
Techworld Date Posted: 5 March 2018 4:48 PM | 191 Views
According to Kaspersky Lab researchers, cybercriminals have started using sophisticated infection methods and techniques borrowed from targeted attacks in order to install mining software on attacked PCs within organizations.. See More
 
Mine a Million Kaspersky Lab Identifies Sophisticated Hacker Group Earning Millions through Mining Malware
Techworld Date Posted: 4:48 PM | 191 Views
According to Kaspersky Lab researchers, cybercriminals have started using sophisticated infection methods and techniques borrowed from targeted attacks in order to install mining software on attacked PCs within organizations.See More

 
Get a Free Star Wars™: Jedi Challenges with Select Lenovo Legion Laptops
Techworld Date Posted: 14 September 2018 3:45 PM | 102 Views
Lenovo, a global leader in PCs and smart devices, is currently having a promo that is sure to please gamers and Star Wars fans alike. Until supplies last, every purchase of selected Legion gaming.... See More
 
Get a Free Star Wars™: Jedi Challenges with Select Lenovo Legion Laptops
Techworld Date Posted: 3:45 PM | 102 Views
Lenovo, a global leader in PCs and smart devices, is currently having a promo that is sure to please gamers and Star Wars fans alike. Until supplies last, every purchase of selected Legion gaming...See More


Power by

Download Free AZ | Free Wordpress Themes