Kaspersky Lab researchers have discovered a new Android malware which is reportedly distributed through a domain name system (DNS) hijacking technique that targets smartphones, mostly in Asia. The malware is named Roaming Mantis and is designed to steal user information including credentials and to provide attackers with full control over the attacked Android device.
According to researchers, the malware was detected in more than 150 user networks between February and April 2018, mostly in South Korea, Bangladesh and Japan, but there are higher possibilities to have more victims. Researchers believe the whole operation is being carried out by a cybercriminal group looking for financial gains.
"The story was recently reported in the Japanese media, but once we did a little more research, we found that the threat does not originate there. In fact, we found a number of clues that the attacker behind this threat speaks either Chinese or Korean. Further, the majority of victims were not located in Japan either. Roaming Mantis seems to be focusing mainly on Korea and Japan appears to have been a kind of collateral damage," said Vitaly Kamluk, Director of the Global Research Analysis Team (GReAT) – APAC.
Research conducted in Kaspersky's Lab signify that the attackers behind the malware look for exposed routers for compromise and distribute the malware through a simple but effective trick of hijacking the DNS settings of those infected routers. However, the method of router compromise remains unknown.
Once the DNS is successfully hijacked, any attempt by the users to access any website leads them to a URL which looks completely genuine but with fake content coming from the server of the attacker. This includes the request: "To better experience the browsing, update to the latest chrome version". Clicking on the link initiates the installation of a Trojanised application named either 'facebook.apk' or 'chrome.apk', which contains the attackers' Android backdoor.