Researchers at Kaspersky Lab have discovered a new type of Android malware spread through domain name system hijacking technology. Its main target is smart phones in Asia. This attack is called Roaming Mantis and is still very active. The purpose of this attack is to steal user information, including credentials, so that the attacker can take full control of infected Android devices. From February to April 2018, researchers detected this malware in more than 150 user networks. The main victims are in South Korea, Bangladesh and Japan, and the victims may be more. Researchers believe that there should be a cybercrime organization behind the attack, which should aim to make money.
Vitaly Kamluk, Regional Director of Asia Pacific at Kaspersky Lab’s Global Research and Analysis Team (GReAT) said: 'A Japanese media recently reported this attack, but after conducting some research, we found that this threat did not originate from Japan. In fact, we found multiple clues to indicate that the attacker behind this threat is speaking Chinese or Korean. Not only that, most of the victims are not in Japan. Roaming Mantis seems to be mainly aimed at Korean users, Japanese victims Seems to be some kind of collateral damage.
Kaspersky Lab's findings indicate that the attackers behind this malware are looking for vulnerable routers to attack and spread the malware through a very simple yet effective method of hijacking the infected router's DNS settings. The router's method is still unknown. Once the DNS is successfully hijacked, the user's access to any website will point to a seemingly realistic URL address where the content is forged and comes from the attacker's server. These addresses will require the user to 'acquire' For a better browsing experience, please upgrade to the latest version of Chrome. 'Clicking on the link will launch the application where the implanted Trojan is installed. These infected applications are usually named 'facebook.apk' or 'chrome.apk', which contains Attacker's Android backdoor program.
The Roaming Mantis Malware checks the device for root and requests permission for any communications or browsing activity notifications made by the user. It also collects a variety of data, including two-step verification credentials. The researchers discovered that some malware codes mentioned The common mobile banking and game application IDs in Korea are combined. These signs indicate that the purpose of this attack may be to obtain economic benefits.
Kaspersky Lab's test data found about 150 targets to be attacked. Further analysis revealed that on average there are thousands of connections to attacker command and control (C2) servers every day, indicating that the scale of the attacks should be larger.
The design of Roaming Mantis Malicious Software indicates that it is intended to be widely distributed in Asia. In addition, it supports four languages, namely Korean, Simplified Chinese, Japanese and English. However, the evidence we have collected shows that this attack is behind the scenes. The most sophisticated threaters are Korean and Simplified Chinese.
Sauguru Ishimaru, a Japanese security researcher at Kaspersky Lab, said: 'Roaming Mantis is an active and rapidly changing threat. So we've published relevant findings now and we didn't wait until we've found all the answers before releasing. This attack seems quite With a big motivation, we need to increase the awareness of the user and make it easier for people and businesses to recognize this threat. This attack uses infected routers and means to hijack DNS, indicating strong device protection and secure connection. necessity'
Kaspersky Lab products detected this threat as 'Trojan-Banker.AndroidOS.Wroba'.
In order to protect your Internet connection from infection, Kaspersky Lab recommends the following measures:
● Refer to your router's instructions for use, make sure your DNS settings have not been changed, or contact your Internet Service Provider (ISP) for support.
● Change the default login name and password of the router management interface.
● Do not install the router firmware from a third-party source. Do not use third-party software sources for your Android device.
● Regularly upgrade your router firmware from the official router.
Researchers at Kaspersky Lab have discovered a new type of Android malware that spreads through Domain Name System (DNS) hijacking technology. Its main target is the smartphones in Asia. This attack is called Roaming Mantis. It is very active. The purpose of the attack is to steal user information, including credentials, so that the attacker can completely control the infected Android devices. From February to April 2018, the researchers detected this in more than 150 user networks. The main victims are located in South Korea, Bangladesh, and Japan, and the victims may be more. The researchers believe that there should be a cybercrime organization behind the attack. Its purpose should be to make a profit.
Vitaly Kamluk, Regional Director of Asia Pacific at Kaspersky Lab’s Global Research and Analysis Team (GReAT), said: 'A Japanese media recently reported this attack, but after conducting some research, we found that this threat did not originate from Japan. In fact, we found multiple clues to indicate that the attacker behind this threat is speaking Chinese or Korean. Not only that, most of the victims are not in Japan. Roaming Mantis seems to be mainly aimed at Korean users, Japanese victims Seems to be some kind of collateral damage.
Kaspersky Lab's findings indicate that the attackers behind this malware are looking for vulnerable routers to attack and spread the malware through a very simple yet effective method of hijacking the infected router's DNS settings. The router's method is still unknown. Once the DNS is successfully hijacked, the user's access to any website will point to a seemingly realistic URL address where the content is forged and comes from the attacker's server. These addresses will require the user to 'acquire' For a better browsing experience, please upgrade to the latest version of Chrome. 'Clicking on the link will launch the application where the implanted Trojan is installed. These infected applications are usually named 'facebook.apk' or 'chrome.apk', which contains Attacker's Android backdoor program.
The Roaming Mantis Malware checks the device for root and requests permission for any communications or browsing activity notifications made by the user. It also collects a variety of data, including two-step verification credentials. The researchers discovered that some malware codes mentioned The common mobile banking and game application IDs in Korea are combined. These signs indicate that the purpose of this attack may be to obtain economic benefits.
Kaspersky Lab's test data found about 150 targets to be attacked. Further analysis revealed that on average there are thousands of connections to attacker command and control (C2) servers every day, indicating that the scale of the attacks should be larger.
The design of Roaming Mantis Malicious Software indicates that it is intended to be widely distributed in Asia. In addition, it supports four languages, namely Korean, Simplified Chinese, Japanese and English. However, the evidence we have collected shows that this attack is behind the scenes. The most sophisticated threaters are Korean and Simplified Chinese.
Sauguru Ishimaru, a Japanese security researcher at Kaspersky Lab, said: 'Roaming Mantis is an active and rapidly changing threat. So we've published relevant findings now and we didn't wait until all the answers were found before releasing. This attack seems quite With a big motivation, we need to improve our users' awareness of prevention so that people and businesses can better recognize this threat. This attack uses infected routers and means of hijacking DNS, indicating strong device protection and secure connection. necessity'
Kaspersky Lab products detected this threat as 'Trojan-Banker.AndroidOS.Wroba'.
In order to protect your Internet connection from infection, Kaspersky Lab recommends the following measures:
● Refer to your router's instructions for use, make sure your DNS settings have not been changed, or contact your Internet Service Provider (ISP) for support.
● Change the default login name and password of the router management interface.
● Do not install the router firmware from a third-party source. Do not use third-party software sources for your Android device.
● Regularly upgrade your router firmware from the official router.
