 |
| Malicious campaign targeting routers running malicious Android application |
Kaspersky researchers discovered that hackers used a new tactic in the Roaming Mantis campaign, using malicious Android installation files (APKs) to take control of victims' phones and steal device information.
Kaspersky, which first spotted the campaign in 2018, explained that it is also being used for phishing on iOS devices as well as mining cryptocurrency on computers.
The name of the campaign - Wandering Mantis - is based on its distribution via smartphones moving between Wi-Fi networks, which are likely to transmit infections and spread them across the network.
A Russian infosec company discovered that the Roaming Mantis campaign recently began allowing Domain Name System (DNS) changes in malicious applications used in the campaign: (Wroba.o), also known as: (Agent.eq) and (Cafe). and XLoader.
Malicious DNS adapters direct devices connected to infected WiFi routers to hacker-controlled servers instead of legitimate DNS servers. The malicious landing page encourages victims to download malware that can take control of the device or steal credentials.
Kaspersky said in its report that the hackers behind the new campaign (Roaming Mantis) are now exclusively using South Korean-based routers, made by a well-known South Korean manufacturer of security equipment.
The company said it detected 508 malicious APK downloads in South Korea in December, and an investigation into the malicious target revealed that the attackers were also using text messages instead of DNS switches to target other regions.
This technology uses text messages to spread malicious links that redirect victims to malicious websites, download malware to devices, or steal user information via phishing websites.
Japan tops the list of target countries with around 25,000 downloads of the malicious APK, followed by Austria and France with around 7,000 downloads each, followed by Germany, Turkey, Malaysia and India.
Kaspersky researchers expect hackers to soon update the DNS modification feature to target Wi-Fi routers also in these areas.
According to Kaspersky Security Network (KSN), the countries with the highest malware detection rates (Wroba.o) in September 2022 were France with 54.4%, Japan with 12.1%, and the United States with 10.1%.
"When an infected smartphone is connected to a 'clean' router in various public places such as cafes, bars, libraries, hotels, malls, airports and even at home," said Suguru Ishimaru, Kaspersky's senior security researcher. (Wroba.o) Malware can infiltrate these routers and affect other connected devices. "
Ishimaru added that the new DNS modification feature can handle all device connections to infected routers, such as b. Redirect to malicious hosts and disable security product updates. “We believe this discovery is important for the cybersecurity of Android devices as it can spread widely in certain areas.