Roaming Mantis mobile smishing campaign spreads and gets updated features

First spotted in APAC countries in 2018, Roaming Mantis recently received updates allowing it to steal more data and has begun targeting individuals in France and Germany.

Image: Adobe Stock/Backcountry Media

The mobile malware campaign known as Roaming Mantis largely left the news cycle after causing a stir in 2018, but Kaspersky reports that new life has been breathed into the campaign in the form of new features and new targets: France and Germany.

Roaming Mantis is a mobile device smishing campaign that uses several different Android Trojans (Wroba.g, Wroba.o, Moqhao, and XLoader) to take control of Android devices. iOS users are not off the hook, however: when an SMS Roaming Mantis link is activated, it can detect the device type and region, and when it finds an iOS device, it directs the victim to a fake Apple ID login page in the language of their respective country.

When it first appeared in 2018, Kaspersky said Roaming Mantis targeted mobile device users in Japan, Taiwan and Korea. In July 2021, Kaspersky said the malware dropper used by Roaming Mantis has been found in France, Japan, India, China, Germany and Korea, in descending order.

That’s not good news: Roaming Mantis has the potential to take almost complete control of an infected device.

How Roaming Mantis infects a device

As mentioned above, Roaming Mantis is spread through phishing text messages which, according to Kaspersky, contain a short description and a hidden link. In the two examples of smishing messages sent to France and Germany, the description was for package tracking; a common tactic that cybercriminals use to lure victims.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

When the link is clicked, Android users are prompted to download something, which is the Roaming Mantis malware dropper. Once installed, the Roaming Mantis malware is able to do various things on the infected device: send text messages, ping the device, read the phone status, transfer calls, lock the device and two new ones that Kaspersky has detected as part of it. 2021 updates and targeting changes: Steal individual photos or entire galleries.

Kaspersky said the new features, in particular, indicate the Roaming Mantis developers have two goals in mind. First, to steal photographs of various forms of ID, like driver’s licenses, health insurance cards, and other important documents that we often scan to send to employers for COVID testing, etc. Kaspersky said this information will likely be used to sign contracts or payment services on behalf of the victim. The second likely use Kaspersy mentions is to blackmail users who may have private or incriminating photos on their device.

Why Roaming Mantis is so dangerous

As Roaming Mantis expanded to different countries with different languages, it continued to add new region controls to its system, which in turn added French, German, and German pages. other languages ​​used in the countries it targets.

In addition to its ability to adapt to its environment, Roaming Mantis also uses several different obfuscation techniques on its landing pages to evade detection, as well as to undermine researchers trying to figure out its code. “In addition to obfuscation, the landing page blocks connection from the source IP address in untargeted regions and just displays a fake ‘404’ page for those connections,” Kaspersky said.

It is not only in France and Germany that Roaming Mantis has spread. Kaspersky quoted independent research published by Japanese security expert @ninoseki this shows that it is also active in the United States, India, Taiwan and Turkey, although far from the total number of infections in France and Japan, from which ninoseki detected 66,789 and 22,254 downloads in one day in September 2021, respectively. Regardless of the high level of Japanese detections, Kaspersky said he believed France and Germany were now the main targets for Roaming Mantis.

Like all phishing attacks, Roaming Mantis requires user action. Specifically, when the phishing link is followed, the user must agree to the download and installation, and that’s where the biggest security takeaway from this story emerges.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

Those who use Android devices should never install apps from unknown sources. Android has app-level controls that can prevent web browsers from installing anything, although best practice is to make sure you can’t install apps from anywhere , except from the Google Play Store. Unfortunately, Android devices differ significantly in where this setting is located. Check with your manufacturer or carrier for specific steps.

Companies that issue Android devices to employees should nip unauthorized apps in the bud by disabling app installs from unknown sources at the MDM level.

Also, make sure you and your users know what phishing is, and how to spot phishing attacks from email, social media, SMS or any other format.

Comments are closed.