An Android Trojan masquerading as popular mobile applications is propagating via smartphones roaming between Wi-Fi networks, Kaspersky Lab warns.
Over the span of two months, the Moscow-based security firm observed the malware mainly targeting users in Asia. As part of the attack, DNS settings of routers are hijacked to redirect users to malicious IP addresses, where they serve fake versions of popular applications.
Dubbed Roaming Mantis, the Trojan appears to be the work of a financially motivated actor familiar with both Simplified Chinese and Korean. The attackers were observed using Trojanized applications named facebook.apk and chrome.apk to trick users into installing the malware.
After being redirected to a malicious website, users are prompted, for example, to install an update for Chrome: “To better experience the browsing, update to the latest chrome version,” the popup message displayed by the rogue server reads, Kaspersky says.
During installation, Roaming Mantis requests permission to be notified when the device is booted, to use the Internet, collect account information, manage SMS/MMS and make calls, record audio, control external storage, check packages, work with file systems, draw overlay windows, and more.
After installation, the malware overlays a message over all other windows, after which it starts its own webserver on the device, and renders a page spoofing Google’s authentication on 127.0.0.1. Using the Google account name collected from the infected device, the threat asks the user to provide a name and date of birth, claiming that this would facilitate access to the account.
The Trojan also attempts to get a verification code for two-factor authentication, but a bug in the code resulted in the Korean text to be displayed for Japanese and English users as well. The malware developers could also attempt to steal verification codes using the receive/read/write/send SMS/MMS and record audio permissions.
The malware’s code also contains references to Android applications popular in South Korea, linked to mobile banking and games: wooribank.pib.smart, kbstar.kbbank, ibk.neobanking, sc.danb.scbankapp, shinhan.sbanking, hanabank.ebk.channel.android.hananbank, smart, epost.psf.sdsi, kftc.kjbsmb, smg.spbs, webzen.muorigin.google, ncsoft.lineagem19, ncsoft.lineagem, co.neople.neopleotp, co.happymoney.android.happymoney, nexon.axe, nexon.nxplay, atsolution.android.uotp2.
The malware also verifies the presence of the su binary (superuser), which is usually an indication that the device is rooted (the su binary is not present on regular Android devices). This could allow attackers to gain elevated privileges on the system.
The malware appears to be receiving code updates on a regular basis, and the security researchers note that it also includes a new feature to communicate with the C&C via email protocols. The Trojan sends data such as language, phone number, access information, and the result of a PING test to the C&C.
Between February 9 and April 9, 2018, Kaspersky observed more than 6,000 occurrences of the malware, but only around 150 unique users appeard to be impacted.
Most detections came from South Korea, Bangladesh, and Japan, which isn’t surprising, as the malware’s capabilities suggest it was designed to be spread mainly in Asian countries. The researchers noticed around 3,000 connections to the C&C infrastructure per day, which reveals a much larger infection campaign.
Based on the system locale information the malware sends to the C&C, the researchers discovered that 98% of affected devices appear to have the Korean locale set. The remaining devices use English (both U.K. and U.S.), Simplified Chinese, Japanese, and others.
Roaming Mantis can not only steal information from the infected devices, but also provide attackers with full control over them. Likely the work of cybercriminal hackers, the Trojan is being updated each day, showing that the malicious actor is highly active.