First spotted targeting APAC countries in 2018, Roaming Mantis recently received updates allowing it to steal more data and has begun targeting individuals in France and Germany.
The mobile malware campaign known as Roaming Mantis largely left the news cycle after making a splash in 2018, but Kaspersky is reporting that some new life has been breathed into the campaign in the form of new features and new targets: This time it’s set its sights on France and Germany.
Roaming Mantis is a mobile device smishing (text message phishing) campaign that uses several different Android trojans (Wroba.g, Wroba.o, Moqhao and XLoader) to take control of Android devices. iOS users aren’t off the hook, though: When a Roaming Mantis sms link is tapped, it can detect the type of device and region, and when it finds an iOS device it directs the victim to a fake Apple ID login page in the language of their respective country.
When it first appeared in 2018, Kaspersky said Roaming Mantis was found targeting mobile device users in Japan, Taiwan and Korea. As of July 2021, Kaspersky said the malware dropper used by Roaming Mantis has been found in France, Japan, India, China, Germany and Korea, in descending order.
That’s not great news: Roaming Mantis has the potential to seize nearly total control of an infected device.
How Roaming Mantis infects a device
As mentioned above, Roaming Mantis spreads through phishing text messages that Kaspersky said contain a short description and an obfuscated link. In both examples of smishing messages sent to France and Germany, the description was about package tracking; a common tactic cybercriminals use to lure victims.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
When the link is clicked, Android users are met with a prompt to download something, which is the Roaming Mantis malware dropper. Once installed, the Roaming Mantis malware is able to do a variety of things to the infected device: Send text messages, ping the device, read the state of the phone, forward calls, lock the device, and two new ones Kaspersky detected as part of the 2021 updates and targeting changes: Stealing individual photos or entire galleries.
Kaspersky said that the new features, in particular, point to Roaming Mantis’ developers having two aims in mind. First, to steal photographs of various forms of ID, like driver’s licenses, health insurance cards and other important documents that we often scan to send to employers for COVID testing and the like. Kaspersky said this info is likely to be used for signing up for contracts or payment services in the victim’s name. The second likely use Kaspersy mentioned is to blackmail users who may have private or incriminating photos on their device.
Why Roaming Mantis is so dangerous
As Roaming Mantis has spread to different countries with different languages, it’s continued to add new region checks to its system, which in turn added pages in French, German and other languages used in countries it targets.
In addition to its ability to change to suit its environment, Roaming Mantis also uses several different obfuscation techniques on its landing pages to avoid detection, as well as undermine researchers attempting to understand its code. “In addition to obfuscation, the landing page blocks the connection from the source IP address in non-targeted regions and shows just a fake ‘404’ page for these connections,” Kaspersky said.
It’s not only France and Germany where Roaming Mantis has spread, either. Kaspersky cited independent research published by Japanese security expert @ninoseki that shows it also being active in the United States, India, Taiwan and Turkey, though in no way near to the total infection numbers in France and Japan, from which ninoseki detected 66,789 and 22,254 downloads on one day in September 2021, respectively. Regardless of the high level of Japanese detections, Kaspersky said that it believes France and Germany are now Roaming Mantis’ top targets.
Like all phishing-related attacks, Roaming Mantis requires action on the user’s part. Specifically when the phishing link is followed, the user has to OK the download and installation, and it’s there that the biggest security takeaway from this story appears.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Those using Android devices should never install apps from unknown sources. Android has app-level controls that can prevent web browsers from installing anything, though the best practice is to ensure you can’t install apps from anywhere but the Google Play store. Unfortunately, Android devices differ greatly in where this setting is found. Check with your manufacturer or carrier for particular steps.
Companies that issue Android devices for employees should nip unauthorized apps in the bud by disabling app installations from unknown sources at the MDM level.
Additionally, be sure you and your users know what phishing is, and how to spot phishing attacks coming from emails, social media, texts or in any other format.