Roaming Mantis Uses Android Malware that Hijacks DNS by Exploiting Wi-Fi Routers

Roaming Mantis is a cyberattack campaign that has been active for an extended period of time. The attackers behind this campaign use malicious APK files, which are the files used to install apps on Android devices, to gain control of infected devices and steal the data.

These APK files can be spread through various means, such as being bundled with legitimate apps or being sent as attachments in phishing emails. 

Once a device is infected, the attackers can steal various types of information from it, such as:-

• User credentials
• Device information
• Financial information

After conducting a thorough investigation throughout 2022, Kaspersky discovered that the actor in question employs a DNS changer technique to gain access to Wi-Fi routers and perform DNS hijacking.

The malware Wroba.o/Agent.eq, known to be present in Android devices, was utilized as the primary tool in this campaign, and it has been identified that it had incorporated a new feature, which had not been observed before.

Infection Flow

Roaming mantis (aka Shaoye), has been targeting Android smartphone users for a long time now with financial motives. Roaming Mantis was first observed by Kaspersky in 2018 when it targeted the Asian region including the following countries:-

• Japan
• South Korea
• Taiwan

The hacking group, which had primarily targeted the Asian region since 2018, was found to have broadened the scope of its victims to include France and Germany for the first time in early 2022. 

This was achieved by disguising the malware as the widely-used Google Chrome web browser application, thereby evading detection.

The tactic employed in these attacks is the use of smishing messages as the primary method of intrusion, where the unsuspecting victims are delivered a seemingly harmless link.

Which upon clicking, offers a malicious APK or redirects to phishing pages, tailored to the operating system installed on the mobile device.

In addition to the above methods, some attacks have also employed the manipulation of Wi-Fi routers through a technique called DNS hijacking, in which the attackers intercept and redirect the DNS queries of unsuspecting users to fake landing pages, as a means to gain unauthorized access.

Deploying the Wroba (also known as MoqHao and XLoader) malware is the ultimate aim of these intrusions. Once the malware is installed on the device, is capable of executing a wide range of malicious activities.

The newest version of Wroba malware has the capability of identifying and infiltrating specific router models by using a sophisticated technique known as DNS hijacking, which alters the DNS settings of the targeted routers.

The primary aim of this attack is to redirect devices connected to the hacked Wi-Fi router to web pages controlled by the attacker so that they can be further exploited. 

The Wroba malware is used in this process to create a constant flow of infected devices that can be used to gain access to other vulnerable routers.

Interestingly, South Korea is the only country that uses the DNS changer program. Several countries have been reported to be targets of the Wroba malware through smishing campaigns, including the following:-

• Austria
• France
• Germany
• India
• Japan
• Malaysia
• Taiwan
• Turkey
• The U.S.

If Android devices with malware are installed to connect to public or open Wi-Fi networks with security vulnerabilities, it may allow the malware to propagate to other devices on the same network.

The DNS changer has the potential to cause significant problems in other regions, in short, it’s a serious concern.

IoCs

MD5 of Wroba.o

2036450427a6f4c39cd33712aa46d609

8efae5be6e52a07ee1c252b9a749d59f

95a9a26a95a4ae84161e7a4e9914998c

ab79c661dd17aa62e8acc77547f7bd93

d27b116b21280f5ccc0907717f2fd596

f9e43cc73f040438243183e1faf46581

Network Security Checklist – Download Free E-Book