Buzz
In order to deceive victims, hackers deploy a malicious Android software called Roaming Mantis. They hijack control over DNS settings on vulnerable and insecure routers.
DNS hijacking attacks allow hackers to intercept traffic, inject fake advertisements into websites, and redirect users to phishing websites designed to trick them into sharing sensitive information like login credentials, bank account details, and other data. Check out how to change DNS on Android here.
Seizing control of Router DNS for malicious purposes is nothing new. Previously, there have been numerous reports of DNSChanger and Switcher spreading; both of these malware operate by altering DNS settings and wireless routers to redirect traffic to malicious websites controlled by attackers.
Security researchers at Kaspersky Lab have uncovered this malicious software campaign. The campaign targets users in Asian countries, including South Korea, China, Bangladesh, and Japan, and has been active since February of this year.
Once edited, the spoofed DNS settings configured by hackers will redirect victims to counterfeit versions of legitimate websites they are attempting to access, displaying a popup window with a warning message stating: 'To experience better web browsing, you should update to the latest version of Chrome.'.
Subsequently, users download the counterfeit Roaming Mantis malware app posing as Chrome for Android, allowing for the collection of device account information, SMS/MMS management, call recording, external storage control, packet inspection, system file manipulation, and more.
'The redirection leads to the installation of Trojanized apps named facebook.apk and chrome.apk containing the Android Banker Trojan.'
If installed, the malicious app will immediately overlay all other windows to display the counterfeit warning.
After that, Roaming Mantis will open a local web server on the device and launch a web browser to open a fake version of the Google website, prompting users to enter their date of birth and their names into it.
To convince users that they are logging in their information on a legitimate website, the fake website will display the user's Gmail email ID configured on the infected Android device.
Researchers stated: 'After users log in their names and birth dates, the browser will be redirected to a blank webpage at http://127.0.0.1:${random_port}/submit. 'Similar to distribution websites, the malware also supports 4 main languages which are Korean, Chinese, Japanese, and English'.
The Roaming Mantis malware app has been granted permission to read and write SMS messages on Android devices, allowing attackers to steal secret authentication codes to authenticate 2-factor accounts of victims.
While analyzing malicious software code, researchers have discovered reference materials about popular banking and gaming apps on mobile devices in South Korea, and the device detection feature originates from there. Users should equip their devices with a professional antivirus tool nowadays, you can refer to the top Android antivirus apps here.
Researchers said: 'For attackers, this could indicate that the Android device belongs to a high-value user or an opportunity to exploit root access to the entire system'.
What's interesting is that this malware uses one of China's leading social networking websites, my.tv.sohu.com as its command-and-control (C&C) server and sends commands to infected devices by updating the profiles of the controlled attacked users.
According to Kaspersky's Telemetry data, the Roaming Mantis malware has been detected over 6,000 times, although reports only detected it on 150 user devices.
Ensure your Router is using the latest firmware version and protected by a strong, hard-to-guess password. Additionally, you should also disable remote router control features and harden the DNS server encryption settings in the network settings of the operating system.
To enable users to handle tasks more smoothly and quickly, Google Sheets introduces Macros to automate user workflows. Additionally, users can customize macros and scripts to automatically perform specific tasks.
