The Roaming Mantis Android malware campaign has buzzed into Europe, quickly infesting France in particular, where there have been 66,789 downloads of the group’s specific remote access trojan (RAT) as of January.
Roaming Mantis has been spreading since 2018, mostly observed in Japan, South Korea and Taiwan. Now, its arrival in France has resulted in that country seeing the highest volume of attacks worldwide, according to researchers at Kaspersky. There have also been detections in Germany. The attacks are now monitored by French media and German Police.
How does it work ?
According to various researches conducted by security researchers (ex, Kaspersky ) , “roaming Mantis” is a mobile malware which this year has been spreading via DNS hijacking. The malware redirects potential victims to a malicious webpage that distributes a trojanized application that pretends to be either Facebook or Chrome. Once installed manually by users, a trojan banker will execute.
The campaign typically spreads via “smishing” – i.e., SMS-based phishing, pretending to be Google Chrome or a region-specific entity such as “Yamato Transport” in Japan.
The researchers further explained that the attack works as follows; If a user clicks on the link and opens the landing page, there are two scenarios: iOS users are redirected to a phishing page imitating the official Apple website, while the Wroba malware is downloaded on Android devices.”
What is a WROBA ?
The WROBA RAT ( remote access Trojan ) has a feature that checks the region of the infected device in order to display a phishing page in the corresponding language. In the past, it has checked for Asian regions, but Germany and France have been added as well, according to Kaspersky.
Below is exactly how the phishing is done by the attackers and how it can affect both Operating systems ( iOS , Android) , and how they can check the region and display the corresponding language using WROBA and its advanced features.
These Phishing attacks are mainly financially motivated, but sometimes, the attackers could target the personal data of the victim. In this example, the Attackers steal personal data ( Stealing images , … )
We are coming for your images :
As for the Wroba backdoor by itself, the RAT has acquired two new information-thieving commands: “get_photo” and “get_gallery.” This delivers the whole range of embedded backdoor instructions to 21, in accordance to Kaspersky.
By doing this , the attackers have two aims in their minds ; One possible scenario is that the criminals steal details from such things as driver’s licenses, health insurance cards or bank cards, to sign up for contracts with QR code payment services or mobile payment services. The criminals are also able to use stolen photos to get money in other ways, such as blackmail or “sextortion.”
Source: Kaspersky
Ways to protect You from Phishing Attacks :
Here is how to avoid being a victim of phishing :
- Always inspect the sender’s email address closely : there might be always some changes to the email address that you can spot with your eyes .
- Emails that tells you to ask urgently are sometime suspicious , BE AWARE !
- Avoid clicking on unexpected links : As we said above , this roaming mantis phishing scam can get you and steal you information or even worse.
- SMS texts that contain URLs should always be treated with caution and suspicion, even if they come from someone you know.
These attacks of the Roaming mantis will expend further these coming months, as researchers think that they are financially motivated . Also, the attackers use multiple ways to avoid getting caught ( changing the programming language to Kotlin instead of Java ) and so many other ways that makes them away from justice.
We all make mistakes , I could have almost be a victim of a phishing scam because I trusted the source , but it turned out to be a scam, they were asking me in an urgent way to enter my information ( Email address , Credit Card number , phone number…) or else I lose my account . Thankfully i figured it out . So i’m “urging” everyone reading this post to be careful and always follow the “anti-scam” techniques
References
I used these sources while building my post :
- https://threatpost.com/roaming-mantis-android-backdoor-europe/178247/
- https://thehackernews.com/2022/02/roaming-mantis-android-malware.html
- https://www.microsoft.com/en-us/securitynow/wp-content/uploads/7_ways_to_protect_yourself_from_phishing.pdf
- https://threatpost.com/roaming-mantis-swarms-globally-spawning-ios-phishing-cryptomining/132149/
- https://securelist.com/roaming-mantis-reaches-europe/105596/
- https://securelist.com/roaming-mantis-part-3/88071/
- https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/
- https://thecybersecurity.news/vulnerabilities/roaming-mantis-expands-android-backdoor-to-europe-16494/
- https://www.bleepingcomputer.com/news/security/roaming-mantis-android-malware-campaign-sets-sights-on-europe/
- https://vpnoverview.com/news/roaming-mantis-sms-phishing-campaign-sets-sights-on-europe/
Neat post, and very in-depth. I also really liked the visuals you provided. Phishing scams as a whole source of hacking have always baffled me somewhat as I’ve always been rather careful with what I interact with online, however, I do understand the massive market they have. I’ve actually seen a few professors here at the university have their emails used to forward these scams, presumably to their entire mailing list. In general, the idea of being careful with what you interact with online is probably the best way to avoid this type of scam, as if you don’t interact, they can’t do anything.
Good post! As people become more wary against scam callers, I definitely see this method becoming the norm that we will have to protect ourselves from. Even on my personal phone I get texts from postal services asking to verify my ID or track my package despite not having ordered from them at all. Your post really shows that we should be wary of what we do and keep on our phones.
Good post! As people become more wary against scam callers, I definitely see this method becoming the norm that we will have to protect ourselves from. Even on my personal phone I get texts from postal services asking to verify my ID or track my package despite not having ordered from them at all. Your post really shows that we should be wary of what we do and keep on our phones.
The inclusion of images showing the different backdoor methods was fantastic, great addition. Android has always been a bit of a safe haven of computer security for me, due to the increased difficulty of developing malware for the system not being worth it for lots of groups, so when I see this sort of phishing attack I take it rather seriously. On the bright side, this attack seems pretty easy to avoid with some common sense, as it mostly targets people being unaware of phishing attacks and falling for the hook, so hopefully if this comes to Canada I’ll be able to stay pretty safe. However phishing attacks will always work on unaware and paranoid people, so I don’t see these sorts of attacks going away anytime soon. I also thought it was very interesting how they are using a wider variety of programming languages to disguise themselves and their payload.
All in all, fascinating post! Thanks for sharing.
Great post! Even fraud nowadays starts to do some adjustments to make it more convincing to local people. This is crazy that internet not only connects this world but also spread crime in a impressive way. Technology is always a double-edged sword. We need to be careful about the person who hold this sword. By the way, it is always a good hint for people that do not click weird links and do not type your password in the website of these links.
This is one of the more informed posts I’ve read recently with extensive sources and a wealth of information on the topic. RATs are a very powerful form of trojan viruses and it’s really good to have people getting informed about them, and specifically mantis with it’s current prevalence
This is a really informative post! Many people tend to be overconfident when it comes to their ability to prevent phishing attacks, especially if they’re used to seeing these attacks on one medium. With SMS based authentication being so common place, it is easy for these attacks to disguise themselves as such and re-direct users to malicious webpages. It’s key to be aware of what a SMS authentication message should contain & to double check any directs, download requests and ask why you may need to enter sensitive information onto a webpage.
I’ve noticed since the start of pandemic that I have been getting more fake text messages, at first being from the “Canadian Revenue Service” involving CERB payments or some sort of reimbursement. Lately the texts have involved e-transfers or Costco rewards. It is pretty that even in the process of blocking the sender and deleting the message, I could accidently tap the link and my phone could be compromised through HTTPS code injections or something. Perhaps phishing could one day evolve where even the receiving of a text message is enough to deploy a payload, where even an attacker having your number is a death sentence for your security. Isn’t too farfetched, given the sophistication of the roaming mantis and the fact that it has crossed continents without a solution being developed, or how WROBA can change its language and puppet service depending on the region. Thank you for the insightful post.
Great post! This reminds of a lot of text messages I get saying that I have done x or y, even though that may not be the case. The texts then include a link for me to address the issue, however I know that these are just phishing websites ready to take advantage of those with who are ignorant to these type of scams. It is interesting to see that the developers of the scam are targeting new countries, as well as how they change their code to adapt to the language the owner of the device speaks. While it is always interesting to see what cool features and changes these scammers come out with, it sheds a light on how some do not care for morals and only want the potential money involved with these scams.
Thank you for bringing this security threat to light. Recently, it seems as though more and more people are receiving phishing attempts via SMS. I have noticed that I have been receiving many suspicious text messages in recent months, most of which include suspicious links. I believe that phone carriers need to amplify their spam filtering to mitigate these types of threats. The fact that this threat targets the victims’ photos is fearful. Many people, including myself, take photos of important documents and consider them safe from attacks. Knowing this, I will now be deleting photos of important documents from my phone. Furthermore, in this instance, it seems as though Android users are at a disadvantage when it comes to security. The fact that the malware is installed on an android victim’s device should be a cause for concern for google. Perhaps Google needs to look into preventing downloads from untrusted sources.
Day by day, hackers from all across the world are looking for victims to scam on, and smarter ways are getting used! Every once in a while, I get this text message with just a link sent to me. I obviously know its a suspicious URL, but not many people know about this, for example our parents. They will click into any URL’s they receive, and it caused a real pain! I had to teach them not to click into any links because its a way of hackers to steal your personal informations and such. It is interesting and scary how the methods hackers are using are getting developed each day!
The first thing that caught my attention about this post is the name. I am curious as to how this malware received the name that it has in the first place. Aside from the name though, I did find the malware itself to be very interesting. The idea that so much effort went into this phishing scam, with how the WROBA can figure out what region the user is in, and with how pictures are also being taken as well. While I cannot agree with the intentions of the creators, I do admit that I am fascinated by their work. Furthermore, I wonder why specifically France and Germany were chosen as the next two regions to be added. It makes sense for Japan, South Korea, and Taiwan, or any relatively nearby Asian country for that matter, to be involved in this, especially if it is the country of origin; but for France and Germany of all places to be next just seems a bit random, at least to me. Regardless, I thank you for sharing this information, as well as methods of protecting oneself, through your in-depth post!
I really enjoyed your post, because of a few key elements: it’s relevant (nowadays we are all using smartphones and SMS), you talk about ways to counter these attacks, and you have made me aware of this particular trojan. Normally, I wouldn’t fall for one of these types of attacks (as I’m naturally paranoid of everything), but knowing about this will help me make my friends, and family aware of this. I think this is (probably) more aimed at elderly people, because they know less about how corporations tend to direct information to their users; however, knowing this exists is indispensable knowledge. You also used some words that I didn’t have in my cybersecurity lexicon. This is great for me, because if I ever hear about a RAT, I now know what people are referring to! All in all, a good read, and a well done presentation of this trojan.
Nice post! I like how it is very informative about how this trojan can affect different users on different platforms. Now that everything is done online, it is unsurprising that scammers are using these methods to scam users. Just the other day I received an sms claiming I won some money. I have become very paranoid about some of these, and even when a popup gives me the option to “close” or has an “x” button, I usually do not click them, since they are fake and still redirect you. I would recommend just closing the tab as another way to protect yourself rather than clicking anywhere on the popup. Very informative post, I will be even more weary when I see this sort of thing now.
Very engaging post! The ‘Roaming Mantis’ reminds me of when I once tried to install an application off of an untrustworthy website. I installed my program but also caused something to happen to my browser -Chrome. Anytime I would try to search something up through Google it would take me to Bing, this was a browser hijacker. The ‘Roaming Mantis’ sounds like a much harmful version.
This is a really nice post! I agree with my classmate Adrian that I also get some irritating message from Canada post when I have not ordered anything. Even I get calls from service Canada regarding problems with my SIN number and service Canada official website says that they never call anyone. These fraudster do such fraudulent activities either by sending fake SMS or email or by sending phone calls. I just waste their time by keeping call on hold for long time. This post is very informative and helps in protecting us further more!
Thank you for such an interesting article! It’s scary how scammers are adapting to current times. Most people can pick up on the usual phone and email scams, but scammers are working overtime to make their approach more undetectable. Instead of making outlandish claims promising millions, I’ve gotten many texts from FIDO claiming to give me a hundred-dollar refund. The URLs and websites they create are very realistic. Unless you’re looking for evidence of a scam, you won’t even realize it’s not your network provider or bank sending you emails. It’s especially worrying for younger and older people as they tend to be more gullible and easily fall into such traps.
It’s quite scary to see that attacks like this are becoming more specific for users.
As you mentioned this RAT looks up a users country and then proceeds to display imitation pages in their own language, which leaves users unsuspecting of any malicious intent. With AI and ML on the rise it would be interesting to see if attacks like this not only use the users language, but actually target users based on their search history, spending habits and other variables.
Very good read, well done!
Thank you for sharing this topic. Now that mobile phones are very common to people, we also store more and more personal information on mobile phones. Now the two mainstream mobile phone systems on the market, ios and Android, have also become the main targets of hacker attacks. What we can do is not to click on unknown links at will
Very informative Post! I also read the article “There’s an uneven distribution in phishing attacks throughout the year. CISCO found that phishing tends to peak around holiday times, finding that phishing attacks soared by 52% in December. We’ve written about a similar phenomenon that typically occurs around Black Friday.” Thank you for providing references.