LTS Secure Warning: Android and iOS devices under attack of Roaming Mantis Malware

In a new investigation report from Kaspersky lab in March 2018, malicious activity was found in the routers in Japan, which redirected users to fake websites. As per the report, most affected users are from Asia.

Based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection, we decided to call it ‘Roaming Mantis’.

Technical Details

Roaming Mantis use DNS hijacking to distribute and grow its malware. The tricksters hijack the DNS setting of the router and redirect the user to the malicious IP address. The redirection led to the installation of malicious applications like Facebook.apk and chrome.apk that holds Android Trojan- Trojan-Banker.AndroidOS.Wroba.

While installation of this malware, it asks your permission like, access rights to your account information, allow send and receive SMS, process voice call, record audio, and access files. It displays its fake window on top of others. After installation complete, the malware uses accessing rights to enter in the account with a phishing request.

In a new development, the attackers started targeting iOS devices, using phishing sites to get access to user credentials. When iOS user connects to a web page via an infected router, it redirects to phishing page ‘http://security.apple.com/’. This page steals user bank account credentials.

In a recent discovery, the landing malicious web page added a new feature for web mining via a special script executed in the browser. When the user connects to the phishing web page, it enables cybercriminals to execute Coinhive via special script, which performs web mining, due to this mining process the CPU usage gets overloaded.

Impact

According to Kaspersky Lab research, Roaming Mantis Malware uses DNS hijacking to infect Android devices, and steal users’ login credentials and two-factor authentication code.

On iOS devices, it hijacks using scoop web page. In a recent development, it also runs a crypto web mining, which overloads the CPU to process.

Recommended Actions

In order to protect your internet connection from Roaming Mantis Malware infection, Kaspersky Lab recommends the following:

• Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.
• Change the default login and password for the admin web interface of the router.
• Never install router firmware from third-party Avoid using third-party repositories for your Android devices.
• Regularly update your router’s firmware from the official source.

Kaspersky Lab has released a security advisory about Roaming Mantis Malware on May 18, 2018.