{"id":22427,"date":"2018-05-18T06:16:15","date_gmt":"2018-05-18T10:16:15","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=22427"},"modified":"2019-11-15T06:37:03","modified_gmt":"2019-11-15T11:37:03","slug":"roaming-mantis-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/roaming-mantis-malware\/22427\/","title":{"rendered":"Roaming Mantis infects smartphones through Wi-Fi routers"},"content":{"rendered":"

Some time ago our experts investigated a piece of malware that they dubbed Roaming Mantis<\/a>. Back then, the people affected were mainly users from Japan, Korea, China, India, and Bangladesh, so we didn\u2019t discuss the malware in the context of other regions; it seemed to be a local threat.<\/p>\n

However, in the month since the report was published, Roaming Mantis has added two dozen more languages and is rapidly spreading around the world.<\/p>\n

The malware uses compromised routers to infect Android-based smartphones and tablets. It then redirects iOS devices to a phishing site and runs the CoinHive cryptomining script on desktops and laptops. It does so by means of DNS hijacking, making it hard for targeted users to detect that something\u2019s amiss.<\/p>\n

What is DNS hijacking<\/h3>\n

When you enter a site name in your browser address bar, the browser doesn\u2019t actually send a request to that site. It can\u2019t; the Internet operates on IP addresses, which are sets of numbers, whereas domain names with words are easier for people to remember and input.<\/p>\n

When you enter a URL, your browser sends a request to a DNS-server<\/a> (DNS is Domain Name System), which translates the human-friendly name into the IP address of the corresponding website. It is this IP address that the browser uses to locate and open the site.<\/p>\n

DNS hijacking is a way of fooling the browser into thinking it has matched the domain name to the correct IP address when in fact it hasn\u2019t. Although the IP address is wrong, the original URL entered by the user is displayed in the browser address bar, so nothing looks suspicious.<\/p>\n

There are many DNS-hijacking techniques, but the creators of Roaming Mantis have chosen perhaps the simplest and most effective: They hijack the settings of compromised routers, forcing them to use their own rogue DNS servers. That means regardless of what is typed into the browser address bar of a device connected to this router, the user is redirected to a malicious site.<\/p>\n

Roaming Mantis on Android<\/h3>\n

After the user is redirected to the malicious site, they are prompted to update the browser. That leads to the download of a malicious app named chrome.apk<\/b> (there was another version as well, named facebook.apk<\/b>).<\/p>\n

\"Roaming<\/a><\/p>\n

The malware requests a bunch of permissions<\/a> during the installation process, including rights to access account information, send and receive SMS messages, process voice calls, record audio, access files, display its own window on top of others, and so on. For a trusted application such as Google Chrome, the list doesn\u2019t seem too suspicious\u00a0\u2014 if the user considers this \u201cbrowser update\u201d legit, they are sure to grant permissions without even reading the list.<\/p>\n

After the application is installed, the malware uses the right to access the list of accounts to find out which Google account is used on the device. Next, the user is shown a message (it appears on top of all other open windows, another permission the malware requested) saying that something is wrong with their account and that they need to sign in again. A page then opens and prompts the user to enter their name and date of birth.<\/p>\n

\"Roaming<\/a><\/p>\n

It appears that this data, together with the SMS permissions that grant access to the one-time codes needed for two-factor authentication, is then used by the creators of Roaming Mantis to steal Google accounts.<\/p>\n

Roaming Mantis: World tour, iOS debut, and mining<\/h3>\n

In the beginning, Roaming Mantis could display messages in four languages: English, Korean, Chinese, and Japanese. But somewhere along the line, its creators decided to expand and add another two dozen languages to their polyglot malware:<\/p>\n