Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Trojan Spreads via DNS Hijacking

An Android Trojan masquerading as popular mobile applications is propagating via smartphones roaming between Wi-Fi networks, Kaspersky Lab warns.

An Android Trojan masquerading as popular mobile applications is propagating via smartphones roaming between Wi-Fi networks, Kaspersky Lab warns.

Over the span of two months, the Moscow-based security firm observed the malware mainly targeting users in Asia. As part of the attack, DNS settings of routers are hijacked to redirect users to malicious IP addresses, where they serve fake versions of popular applications.

Dubbed Roaming Mantis, the Trojan appears to be the work of a financially motivated actor familiar with both Simplified Chinese and Korean. The attackers were observed using Trojanized applications named facebook.apk and chrome.apk to trick users into installing the malware.  

After being redirected to a malicious website, users are prompted, for example, to install an update for Chrome: “To better experience the browsing, update to the latest chrome version,” the popup message displayed by the rogue server reads, Kaspersky says.

During installation, Roaming Mantis requests permission to be notified when the device is booted, to use the Internet, collect account information, manage SMS/MMS and make calls, record audio, control external storage, check packages, work with file systems, draw overlay windows, and more.

After installation, the malware overlays a message over all other windows, after which it starts its own webserver on the device, and renders a page spoofing Google’s authentication on 127.0.0.1. Using the Google account name collected from the infected device, the threat asks the user to provide a name and date of birth, claiming that this would facilitate access to the account.

The Trojan also attempts to get a verification code for two-factor authentication, but a bug in the code resulted in the Korean text to be displayed for Japanese and English users as well. The malware developers could also attempt to steal verification codes using the receive/read/write/send SMS/MMS and record audio permissions.

The malware’s code also contains references to Android applications popular in South Korea, linked to mobile banking and games: wooribank.pib.smart, kbstar.kbbank, ibk.neobanking, sc.danb.scbankapp, shinhan.sbanking, hanabank.ebk.channel.android.hananbank, smart, epost.psf.sdsi, kftc.kjbsm
b, smg.spbs, webzen.muorigin.google, ncsoft.lineagem19, ncsoft.lineagem, co.neople.neopleotp, co.happymoney.android.happymoney, nexon.axe, nexon.nxplay, atsolution.android.uotp2
.

Advertisement. Scroll to continue reading.

The malware also verifies the presence of the su binary (superuser), which is usually an indication that the device is rooted (the su binary is not present on regular Android devices). This could allow attackers to gain elevated privileges on the system.

The malware appears to be receiving code updates on a regular basis, and the security researchers note that it also includes a new feature to communicate with the C&C via email protocols. The Trojan sends data such as language, phone number, access information, and the result of a PING test to the C&C.

Between February 9 and April 9, 2018, Kaspersky observed more than 6,000 occurrences of the malware, but only around 150 unique users appeard to be impacted.

Most detections came from South Korea, Bangladesh, and Japan, which isn’t surprising, as the malware’s capabilities suggest it was designed to be spread mainly in Asian countries. The researchers noticed around 3,000 connections to the C&C infrastructure per day, which reveals a much larger infection campaign.

Based on the system locale information the malware sends to the C&C, the researchers discovered that 98% of affected devices appear to have the Korean locale set. The remaining devices use English (both U.K. and U.S.), Simplified Chinese, Japanese, and others.

Roaming Mantis can not only steal information from the infected devices, but also provide attackers with full control over them. Likely the work of cybercriminal hackers, the Trojan is being updated each day, showing that the malicious actor is highly active.

Related: New Monero-Mining Android Malware Discovered

Related: New “HenBox” Android Malware Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.