Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Trojan Spreads via DNS Hijacking

An Android Trojan masquerading as popular mobile applications is propagating via smartphones roaming between Wi-Fi networks, Kaspersky Lab warns.

An Android Trojan masquerading as popular mobile applications is propagating via smartphones roaming between Wi-Fi networks, Kaspersky Lab warns.

Over the span of two months, the Moscow-based security firm observed the malware mainly targeting users in Asia. As part of the attack, DNS settings of routers are hijacked to redirect users to malicious IP addresses, where they serve fake versions of popular applications.

Dubbed Roaming Mantis, the Trojan appears to be the work of a financially motivated actor familiar with both Simplified Chinese and Korean. The attackers were observed using Trojanized applications named facebook.apk and chrome.apk to trick users into installing the malware.  

After being redirected to a malicious website, users are prompted, for example, to install an update for Chrome: “To better experience the browsing, update to the latest chrome version,” the popup message displayed by the rogue server reads, Kaspersky says.

During installation, Roaming Mantis requests permission to be notified when the device is booted, to use the Internet, collect account information, manage SMS/MMS and make calls, record audio, control external storage, check packages, work with file systems, draw overlay windows, and more.

After installation, the malware overlays a message over all other windows, after which it starts its own webserver on the device, and renders a page spoofing Google’s authentication on Using the Google account name collected from the infected device, the threat asks the user to provide a name and date of birth, claiming that this would facilitate access to the account.

The Trojan also attempts to get a verification code for two-factor authentication, but a bug in the code resulted in the Korean text to be displayed for Japanese and English users as well. The malware developers could also attempt to steal verification codes using the receive/read/write/send SMS/MMS and record audio permissions.

Advertisement. Scroll to continue reading.

The malware’s code also contains references to Android applications popular in South Korea, linked to mobile banking and games:, kbstar.kbbank, ibk.neobanking, sc.danb.scbankapp, shinhan.sbanking,, smart, epost.psf.sdsi, kftc.kjbsm
b, smg.spbs,, ncsoft.lineagem19, ncsoft.lineagem, co.neople.neopleotp,, nexon.axe, nexon.nxplay,

The malware also verifies the presence of the su binary (superuser), which is usually an indication that the device is rooted (the su binary is not present on regular Android devices). This could allow attackers to gain elevated privileges on the system.

The malware appears to be receiving code updates on a regular basis, and the security researchers note that it also includes a new feature to communicate with the C&C via email protocols. The Trojan sends data such as language, phone number, access information, and the result of a PING test to the C&C.

Between February 9 and April 9, 2018, Kaspersky observed more than 6,000 occurrences of the malware, but only around 150 unique users appeard to be impacted.

Most detections came from South Korea, Bangladesh, and Japan, which isn’t surprising, as the malware’s capabilities suggest it was designed to be spread mainly in Asian countries. The researchers noticed around 3,000 connections to the C&C infrastructure per day, which reveals a much larger infection campaign.

Based on the system locale information the malware sends to the C&C, the researchers discovered that 98% of affected devices appear to have the Korean locale set. The remaining devices use English (both U.K. and U.S.), Simplified Chinese, Japanese, and others.

Roaming Mantis can not only steal information from the infected devices, but also provide attackers with full control over them. Likely the work of cybercriminal hackers, the Trojan is being updated each day, showing that the malicious actor is highly active.

Related: New Monero-Mining Android Malware Discovered

Related: New “HenBox” Android Malware Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.