A new DNS-changing Android malware allows cybercriminals to infect Android smartphones with malware via compromised Wi-Fi routers in cafes, airport hotels and other public places. Many users in South Korea are currently being infected, but the malware is spreading more and more in Germany and Austria via smishing. Kaspersky experts report.
Roaming Mantis recently introduced DNS (Domain Name System) changer functionality in Wroba.o malware, also known as Agent.eq, Moqhao and XLoader - the malware is a core part of the campaign. DNS-Changer is a malicious program that directs the device connected to a compromised wireless router to a cybercriminal-controlled DNS server instead of a legitimate one. There, the user is prompted for a download and the downloaded malware can control the device or steal credentials.
Trap: DNS changer functionality
Currently, the threat actor behind Roaming Mantis only targets routers that are located in South Korea and manufactured by a popular South Korean network equipment maker. To identify these, the new DNS Changer feature retrieves the router's IP address and checks the router's model. If it is a desirable target, the device is compromised by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APK downloads in South Korea.
Roaming Mantis spreads in Germany and Austria
Analyzing malicious websites to which users were redirected, it became clear that the actors also target other regions using smishing instead of DNS changer. It does this by spreading malicious links via text messages, which redirect the victim to an infected website in order to download malware onto the device or steal user information via a phishing website. The malicious APK files were downloaded most frequently in Japan (almost 25.000 times), followed by Austria and France with around 7.000 downloads each, and Germany with around 6.000 downloads. Kaspersky experts expect that the actors behind Roaming Mantis will soon update the DNS Changer function to also attack WiFi routers in these countries.
According to Kaspersky telemetry, the detection rate for Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) in the September-December 2022 period was in France (54,4 percent), Japan (12,1 percent) and the United States (10,1 percent) highest.
Infected smartphones can infect other WLANs
“If an infected smartphone connects to a previously uninfected router in a public place such as a coffee shop, bar, library, hotel, mall, airport or even home, the Wroba.o malware can compromise those routers and too affect other connected devices,” explains Suguru Ishimaru, Senior Security Researcher at Kaspersky. “The new DNS changer functionality can manage all device communication through the compromised WiFi router. It also means that it can redirect users to malicious hosts and disable security product updates. The new functionality is extremely critical for Android devices as the campaign can spread so quickly in targeted regions.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/