threat actor known as roaming mantis (or Shaoye) is reported to have added a DNS changer feature to its latest mobile app, Wroba.o, to infiltrate WiFi routers and perform DNS hijacking.
The findings come from Kaspersky’s SecureList researchers, who published an advisory on Roaming Mantis today.
According to the technical article, attackers have been conducting a long-running campaign to control infected Android devices and obtain device information using malicious Android package (APK) files.
“In 2018, Kaspersky first Saw Roaming Mantis in action It targets the Asian region including Japan, South Korea and Taiwan. At the time, criminals compromised her Wi-Fi router for use in hijacking her DNS, a highly effective technique,” reads the advisory.
“From mid-2019 to 2022, criminals primarily used smishing instead of DNS hijacking to deliver malicious URLs as landing pages.”
this page, Kaspersky Identified user device platforms serving malicious APK files for Android or redirecting to phishing pages for iOS.
“In September 2022, we will […] I discovered that a DNS changer was implemented to target specific Wi-Fi routers. Get the IP address of the default gateway as the IP of the connected Wi-Fi router and check the device model from the router’s admin web interface. “
Security researchers also discovered that this feature was implemented primarily targeting WiFi routers located in South Korea. Victims of Roaming Mantis have also been found in France, Japan, Germany, the United States, Taiwan, Turkey, and elsewhere.
“We believe the discovery of this new DNS changer implementation is very important from a security perspective,” warns SecureList.
“An attacker can use this to manage all communication from devices with compromised Wi-Fi routers with malicious DNS settings. For example, an attacker can redirect to a malicious host and can interfere with security product updates.”
Kaspersky said it believes the group could use DNS changers to target other regions and cause significant problems. A list of Indicators of Compromise (IoCs) is available on SecureList to help companies discover his Wroba.o infection of Roaming Mantis. Recommendation.
The disclosure comes a few weeks after Google announced it was making Android’s security even better. A memory-safe programming language.
