Roaming Mantis malware on the loose in Asia
Cybersecurity firm suspects a cybercriminal group looking for financial gain is behind the attack
More than 150 Asian attacks by Roaming Mantis, a new Android malware that steals user information, have been detected.
The malware, identified by researchers of cybersecurity firm Kaspersky Lab, gives attackers full control over the compromised Android device.
Between February and April 2018, researchers found the malware in more than 150 user networks, mainly in South Korea, Bangladesh and Japan, but there are likely many more victims.
Researchers believe that a cybercriminal group looking for financial gain is behind the operation.
“The story was recently reported in the Japanese media, but once we did a little more research, we found that the threat does not originate there,” said Vitaly Kamluk, director of global research analysis for Asia-Pacific. “In fact, we found a number of clues that the attacker behind this threat speaks either Chinese or Korean. Further, the majority of victims were not located in Japan either. Roaming Mantis seems to be focusing mainly on Korea, and Japan appears to have been a kind of collateral damage.”
While Kaspersky Lab’s detection data uncovered about 150 targets, further analysis revealed thousands of connections hitting the attackers’ command and control servers on a daily basis, pointing to a far larger scale of attack.
The design of the Roaming Mantis malware shows that it’s intended for wider distribution across Asia. Among other things, it supports four languages: Korean, simplified Chinese, Japanese and English.
The artefacts gathered, however, suggest that the threat actors behind the attacks are familiar mostly with Korean and simplified Chinese.
Kaspersky Lab’s findings indicate that the attackers behind the malware seek out vulnerable routers for compromise, then distribute the malware through a simple yet effective trick of hijacking the DNS settings of those infected routers.
The method of router compromise remains unknown. Once the DNS is successfully hijacked, any attempt by users to access any website leads them to a genuine-looking URL with forged content coming from the attackers’ server.
This includes the request: “To better experience the browsing, update to the latest chrome version.” Clicking on the link initiates the installation of a Trojanised application named either facebook.apk or chrome.apk, which contains the attackers’ Android back door.
The Roaming Mantis malware checks to see if the device is rooted and requests permission to be notified of any communications or browsing activity undertaken by the user. It can also collect a wide range of data, including credentials for two-factor authentication.
Researchers found that some of the malware code includes references to mobile banking and game apps.
In order to protect their internet connection from the infection, users should refer to their router’s user manual to verify that the DNS settings haven’t been tampered with, or contact the ISP for support. They should then change the default login and password for the admin web interface of the router.
Users should never install router firmware from third-party sources, and they should avoid using third-party repositories for Android devices.
Lastly, users should regularly update the router’s firmware from the official source to add another layer of security.