Roaming Mantis Preys on Multilingual Victims

A new wave of Android malware originally seen targeting victims across Asia via DNS hijacking has evolved into multilingual malware, broadening its attack surface and evading detection as it spreads across Europe and the Middle East, according to new research from Kaspersky Lab.

Roaming Mantis, Android malware distributed through DNS hijacking, was discovered earlier this year but has since evolved beyond targeting smartphones in Asia. The malware now supports 27 languages and has extended into Europe and the Middle East, adding a phishing option for iOS devices and a PC crypto-mining capability.

Designed to steal user information, the malware also provides attackers with control over the compromised device. Researchers believe a financially motivated Korean- or Chinese-speaking cybercriminal group is behind the operation.

“The attackers substantially extended their target languages from four to 27, including European and Middle Eastern languages. And yet, they keep adding comments in Simplified Chinese,” security researcher Suguru Ishimaru wrote in an 18 May SecureList blog post.

"But, of course, this multilingualism is not limited to the landing page," Ishimaru continued. "The most recent malicious apk (MD5: 'fbe10ce5631305ca8bf8cd17ba1a0a35') also was expanded to supports 27 languages."

Researchers believe the attackers used an automatic translator to expand their initial set of languages into dozens of others and infect more users, but they have changed more than the languages.

Though the criminal group originally targeted Android devices, it is now targeting iOS devices as well, “using a phishing site to steal user credentials. When a user connects to the landing page via iOS devices, the user is redirected to ‘http://security.apple.com/’,” Ishimaru wrote.

While an authentic DNS server would recognize that such a domain name doesn’t exist, Ishimaru said, “a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘security.apple.com’ in the address bar of the browser.”

An additional feature included in the extended translations of the malware is PC web mining for the most popular crypto-currency among cybercriminals, Coinhive, accomplished via a special script executed in the browser.

What’s Hot on Infosecurity Magazine?