Android malware infects WiFi routers and cell phones 


Share post

A new DNS-changing Android malware allows cybercriminals to infect Android smartphones with malware via compromised Wi-Fi routers in cafes, airport hotels and other public places. Many users in South Korea are currently being infected, but the malware is spreading more and more in Germany and Austria via smishing. Kaspersky experts report.

Roaming Mantis recently introduced DNS (Domain Name System) changer functionality in Wroba.o malware, also known as Agent.eq, Moqhao and XLoader - the malware is a core part of the campaign. DNS-Changer is a malicious program that directs the device connected to a compromised wireless router to a cybercriminal-controlled DNS server instead of a legitimate one. There, the user is prompted for a download and the downloaded malware can control the device or steal credentials.

Trap: DNS changer functionality

Currently, the threat actor behind Roaming Mantis only targets routers that are located in South Korea and manufactured by a popular South Korean network equipment maker. To identify these, the new DNS Changer feature retrieves the router's IP address and checks the router's model. If it is a desirable target, the device is compromised by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APK downloads in South Korea.

Roaming Mantis spreads in Germany and Austria

Analyzing malicious websites to which users were redirected, it became clear that the actors also target other regions using smishing instead of DNS changer. It does this by spreading malicious links via text messages, which redirect the victim to an infected website in order to download malware onto the device or steal user information via a phishing website. The malicious APK files were downloaded most frequently in Japan (almost 25.000 times), followed by Austria and France with around 7.000 downloads each, and Germany with around 6.000 downloads. Kaspersky experts expect that the actors behind Roaming Mantis will soon update the DNS Changer function to also attack WiFi routers in these countries.

According to Kaspersky telemetry, the detection rate for Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) in the September-December 2022 period was in France (54,4 percent), Japan (12,1 percent) and the United States (10,1 percent) highest.

Infected smartphones can infect other WLANs

“If an infected smartphone connects to a previously uninfected router in a public place such as a coffee shop, bar, library, hotel, mall, airport or even home, the Wroba.o malware can compromise those routers and too affect other connected devices,” explains Suguru Ishimaru, Senior Security Researcher at Kaspersky. “The new DNS changer functionality can manage all device communication through the compromised WiFi router. It also means that it can redirect users to malicious hosts and disable security product updates. The new functionality is extremely critical for Android devices as the campaign can spread so quickly in targeted regions.”

More at


About Kaspersky

Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at


Matching articles on the topic

Accelerated cybercrime with ChatGPT4

Security researchers reveal various scenarios that allow hackers to improve their malicious efforts and preparations, resulting in faster and more accurate ones ➡ Read more

Cybercrime with ChatGPT

With every improvement of ChatGPT, there is growing concern that it can and will be misused on a large scale, especially by cybercrime ➡ Read more

VOIP/PBX software 3CX abused for sideloading attack

A trojanized version of the popular phone system VOIP/PBX software 3CX is currently making headlines. The business phone system is used by companies in 190 ➡ Read more

Cyber ​​attack on Helmholtz Zentrum München

As early as March 15, the Helmholtz Zentrum München could no longer be reached. A cyber attack paralyzed everything. ➡ Read more

Security: BSI handbook for company management

The BSI distributes the new international manual "Management of Cyber ​​Risks" for company management. The one with the Internet Security Alliance ➡ Read more

Ransomware: Attack on Schweizer Medienverlag and NZZ

The Neue Züricher Zeitung - NZZ reported an attack on their network a few days ago and was therefore unable to ➡ Read more

Chinese cyber attackers target zero-day vulnerabilities

Found zero-day vulnerabilities are often exploited by individual APT groups. According to Mandiant, Chinese cyberattackers are targeting more and more zero-day vulnerabilities. The report proves it ➡ Read more

Cloud bursting vulnerability

As an application delivery technique, cloud bursting enables the best of both worlds to be combined. On the one hand, it enables ➡ Read more