Android malware infects WiFi routers and cell phones 


Share post

A new DNS-changing Android malware allows cybercriminals to infect Android smartphones with malware via compromised Wi-Fi routers in cafes, airport hotels and other public places. Many users in South Korea are currently being infected, but the malware is spreading more and more in Germany and Austria via smishing. Kaspersky experts report.

Roaming Mantis recently introduced DNS (Domain Name System) changer functionality in Wroba.o malware, also known as Agent.eq, Moqhao and XLoader - the malware is a core part of the campaign. DNS-Changer is a malicious program that directs the device connected to a compromised wireless router to a cybercriminal-controlled DNS server instead of a legitimate one. There, the user is prompted for a download and the downloaded malware can control the device or steal credentials.

Trap: DNS changer functionality

Currently, the threat actor behind Roaming Mantis only targets routers that are located in South Korea and manufactured by a popular South Korean network equipment maker. To identify these, the new DNS Changer feature retrieves the router's IP address and checks the router's model. If it is a desirable target, the device is compromised by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APK downloads in South Korea.

Roaming Mantis spreads in Germany and Austria

Analyzing malicious websites to which users were redirected, it became clear that the actors also target other regions using smishing instead of DNS changer. It does this by spreading malicious links via text messages, which redirect the victim to an infected website in order to download malware onto the device or steal user information via a phishing website. The malicious APK files were downloaded most frequently in Japan (almost 25.000 times), followed by Austria and France with around 7.000 downloads each, and Germany with around 6.000 downloads. Kaspersky experts expect that the actors behind Roaming Mantis will soon update the DNS Changer function to also attack WiFi routers in these countries.

According to Kaspersky telemetry, the detection rate for Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) in the September-December 2022 period was in France (54,4 percent), Japan (12,1 percent) and the United States (10,1 percent) highest.

Infected smartphones can infect other WLANs

“If an infected smartphone connects to a previously uninfected router in a public place such as a coffee shop, bar, library, hotel, mall, airport or even home, the Wroba.o malware can compromise those routers and too affect other connected devices,” explains Suguru Ishimaru, Senior Security Researcher at Kaspersky. “The new DNS changer functionality can manage all device communication through the compromised WiFi router. It also means that it can redirect users to malicious hosts and disable security product updates. The new functionality is extremely critical for Android devices as the campaign can spread so quickly in targeted regions.”

More at


About Kaspersky

Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more