By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    All You Need to Know About APTs
    8 months ago
    Avoid infection by dangerous Onion ransomware aka CTB-Locker
    8 months ago
    How Kaspersky Internet Security protects from ransomware
    8 months ago
    Latest News
    Triangulation: Trojan for iOS | Kaspersky official blog
    2 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
    2 days ago
    Safeguards against firmware signed with stolen MSI keys
    4 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    4 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    What’s included in the ‘Battle of Shadow and Light’ update for Halo 5: Guardians
    8 months ago
    How to fix printer spooler problems on Windows 10
    8 months ago
    How to fix error 0x80004005 starting VirtualBox VM on Windows 10
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    Dynamic data collection with Zaraz Worker Variables
    Dynamic data collection with Zaraz Worker Variables
    1 day ago
    Reduce latency and increase cache hits with Regional Tiered Cache
    Reduce latency and increase cache hits with Regional Tiered Cache
    2 days ago
    Cloudflare is deprecating Railgun
    Cloudflare is deprecating Railgun
    2 days ago
    What is two-factor authentication | Kaspersky official blog
    5 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    1 week ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to delete all empty folders on Android?
    8 months ago
    How to come up with a signature using an online service?
    8 months ago
    How to turn on screen text on iOS?
    8 months ago
    Latest News
    How to add CPU, GPU, RAM widgets on Windows 11
    2 days ago
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    5 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    5 days ago
    How to check USB4 devices specs from Settings on Windows 11
    5 days ago
  • Glossary
  • My Bookmarks
Reading: Roaming Mantis infects smartphones through Wi-Fi routers
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Threats

Roaming Mantis infects smartphones through Wi-Fi routers

Tom Grant
Last updated: 13 October
Tom Grant 8 months ago
Share
8 Min Read

Some time ago our experts investigated a piece of malware that they dubbed Roaming Mantis. Back then, the people affected were mainly users from Japan, Korea, China, India, and Bangladesh, so we didn’t discuss the malware in the context of other regions; it seemed to be a local threat.

Contents
What is DNS hijackingRoaming Mantis on AndroidRoaming Mantis: World tour, iOS debut, and miningHow to protect from Roaming MantisWhat to do if infected by Roaming Mantis

However, in the month since the report was published, Roaming Mantis has added two dozen more languages and is rapidly spreading around the world.

The malware uses compromised routers to infect Android-based smartphones and tablets. It then redirects iOS devices to a phishing site and runs the CoinHive cryptomining script on desktops and laptops. It does so by means of DNS hijacking, making it hard for targeted users to detect that something’s amiss.

What is DNS hijacking

When you enter a site name in your browser address bar, the browser doesn’t actually send a request to that site. It can’t; the Internet operates on IP addresses, which are sets of numbers, whereas domain names with words are easier for people to remember and input.

When you enter a URL, your browser sends a request to a DNS-server (DNS is Domain Name System), which translates the human-friendly name into the IP address of the corresponding website. It is this IP address that the browser uses to locate and open the site.

DNS hijacking is a way of fooling the browser into thinking it has matched the domain name to the correct IP address when in fact it hasn’t. Although the IP address is wrong, the original URL entered by the user is displayed in the browser address bar, so nothing looks suspicious.

There are many DNS-hijacking techniques, but the creators of Roaming Mantis have chosen perhaps the simplest and most effective: They hijack the settings of compromised routers, forcing them to use their own rogue DNS servers. That means regardless of what is typed into the browser address bar of a device connected to this router, the user is redirected to a malicious site.

Roaming Mantis on Android

After the user is redirected to the malicious site, they are prompted to update the browser. That leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk).

Roaming Mantis on Android

The malware requests a bunch of permissions during the installation process, including rights to access account information, send and receive SMS messages, process voice calls, record audio, access files, display its own window on top of others, and so on. For a trusted application such as Google Chrome, the list doesn’t seem too suspicious — if the user considers this “browser update” legit, they are sure to grant permissions without even reading the list.

After the application is installed, the malware uses the right to access the list of accounts to find out which Google account is used on the device. Next, the user is shown a message (it appears on top of all other open windows, another permission the malware requested) saying that something is wrong with their account and that they need to sign in again. A page then opens and prompts the user to enter their name and date of birth.

Roaming Mantis on Android

It appears that this data, together with the SMS permissions that grant access to the one-time codes needed for two-factor authentication, is then used by the creators of Roaming Mantis to steal Google accounts.

Roaming Mantis: World tour, iOS debut, and mining

In the beginning, Roaming Mantis could display messages in four languages: English, Korean, Chinese, and Japanese. But somewhere along the line, its creators decided to expand and add another two dozen languages to their polyglot malware:

  • Arabic
  • Armenian
  • Bulgarian
  • Bengali
  • Czech
  • Georgian
  • German
  • Hebrew
  • Hindi
  • Indonesian
  • Italian
  • Malay
  • Polish
  • Portuguese
  • Russian
  • Serbo-Croat
  • Spanish
  • Tagalog
  • Thai
  • Turkish
  • Ukrainian
  • Vietnamese

While they were at it, the creators also improved Roaming Mantis, teaching it to attack devices running iOS. It’s a different scenario from the Android attacks. On iOS, Roaming Mantis skips downloading the application; instead, the malicious site displays a phishing page prompting the user to log back in to the App Store right away. To add credibility, the address bar shows the reassuring URL security.apple.com:

Roaming Mantis phishing on iOS

The cybercriminals do not confine their theft to Apple ID credentials; immediately after entering this data, the user is asked for a bank card number:

Roaming Mantis phishing on iOS

The third innovation our experts uncovered concerns desktop computers and laptops. On these devices, Roaming Mantis runs the CoinHive mining script, which mines cryptocurrency and dumps it straight into the pockets of the malware makers. The victim’s computer processor is loaded to the max, forcing the system to slow down and consume vast amounts of power.

Roaming Mantis mining on desktops and laptops

You can find more details about Roaming Mantis in the original report and a fresh Securelist post with updated information about the malware.

How to protect from Roaming Mantis

  • Use antivirus protection on all devices: not just computers and laptops, but smartphones and tablets too.
  • Regularly update all installed software on your devices.
  • On Android devices, disable the installation of applications from unknown sources. You’ll find this option under Settings -> Security -> Unknown sources.

  • Update your router firmware (check your router’s manual to find out how) as often as possible. Don’t use unofficial firmware downloaded from shady sites.
  • Always change the default administrator password on the router.

What to do if infected by Roaming Mantis

Kaspersky security products detect and remove Roaming Mantis, so your first step is to install antivirus on all of your devices and run a system scan. After you scrub Roaming Mantis from your computers and devices, you’ll need to do a bit of cleanup to avoid reinfection:

  • Change all passwords for accounts compromised by the malware. Cancel all bank cards for which you entered details on the Roaming Mantis phishing site.
  • Change the router administrator password and update the firmware. In doing so, be sure to download it only from the official website of the router manufacturer.
  • Navigate to your router’s settings and check the DNS server address. If it doesn’t match the one issued by your provider — you can find that on your ISP’s website (check it from a safe system!) or call them to find out — change it back to the right one.

Source: kaspersky.com

Translate this article

TAGGED: Apple, Authentication, Chrome, Facebook, Malware, Phishing, PoC, Security, Software, Threat, Threats, Windows
Tom Grant October 13, 2022 October 7, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Dynamic data collection with Zaraz Worker Variables
Dynamic data collection with Zaraz Worker Variables
Apps 1 day ago
How to add CPU, GPU, RAM widgets on Windows 11
News 2 days ago
Reduce latency and increase cache hits with Regional Tiered Cache
Reduce latency and increase cache hits with Regional Tiered Cache
Apps 2 days ago
Cloudflare is deprecating Railgun
Cloudflare is deprecating Railgun
Apps 2 days ago
Triangulation: Trojan for iOS | Kaspersky official blog
Threats 2 days ago

Recent Posts

  • Dynamic data collection with Zaraz Worker Variables
  • How to add CPU, GPU, RAM widgets on Windows 11
  • Reduce latency and increase cache hits with Regional Tiered Cache
  • Cloudflare is deprecating Railgun
  • Triangulation: Trojan for iOS | Kaspersky official blog

You Might Also Like

Dynamic data collection with Zaraz Worker Variables
Apps

Dynamic data collection with Zaraz Worker Variables

1 day ago
News

How to add CPU, GPU, RAM widgets on Windows 11

2 days ago
Reduce latency and increase cache hits with Regional Tiered Cache
Apps

Reduce latency and increase cache hits with Regional Tiered Cache

2 days ago
Cloudflare is deprecating Railgun
Apps

Cloudflare is deprecating Railgun

2 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
Previous Next
Hot News
Dynamic data collection with Zaraz Worker Variables
How to add CPU, GPU, RAM widgets on Windows 11
Reduce latency and increase cache hits with Regional Tiered Cache
Cloudflare is deprecating Railgun
Triangulation: Trojan for iOS | Kaspersky official blog
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?