| Home - Current Activities||
Original Issue Date:May 28, 2018
A resurgence in the Roaming Mantis malware campaign is reported by updating the attack vectors and targeting a wider community by adding support for 27 other global languages including European and Middle Eastern in a bid to broaden its geographic range.
In addition to the Android platforms, this malware campaign reportedly extends its targets to iOS and PC users.
- The attacks hijack DNS settings on routers; also known as DNS cache poisoning/DNS spoofing, to redirect users to malicious IP addresses. When a user tries to access a legitimate website in the phone browser, he/she is instead taken to a malicious page even though the address bar still shows the domain of the legitimate page.
- The malicious site detects the device from which it is being accessed and executes the malicious activity accordingly.
- The landing page here shows a popup message in a language that has been configured on the user’s phone. The popup message in English says "To better experience the browsing, update to the latest Chrome/Facebook version."
- When the user proceeds, a malicious apk is downloaded on to the user’s device.
- When the user installs this apk file, it asks for a lot of permissions that can be used for malicious activities and are not usually required by a web browser application. Some of these are – RECEIVE_BOOT_COMPLETED (permission for detecting when the device has been switched on), SEN_SMS, WRITE_SMS, READ_CONTACTS, CALL_PHONE, RECORD_AUDIO among others.
- Once the user grants all the permissions and completes the installation, the icon of the fake app appears in the application list and then disappears.
- The malware shows an overlay on all other applications with the following message – “Account No.exists risks, use after certification”. The malware also starts a local webserver on the device. When the user clicks on Enter, he/she is taken to a locally hosted Google authentication phishing page.
- This malware can also execute a lot of other commands received from its C2 server.
Through DNS spoofing, the user is taken to a malicious webpage when he tries to access any website. This page tells the user to login to his/her Apple Store account after which the user is taken to a fake Apple account page which has the URL - "security.apple.com|
The fake site steals the User ID, password and card details of the victim.
This malware has evolved significantly over time.
- The name of apk files have changed from fixed to randomly generated names.
- The encoding of the payloads has also been changed.
- Older samples retrieved the C2 address by reading a string on a webpage but the newer samples have been using email protocol for finding out the C2 address. It connects to an Outlook email inbox via POP3 and obtains the address from the subject of an email.
- It now supports 27 languages as against the initial 4.
- More and more malicious activities are being added, the latest being crypto mining.
- Check the DNS settings on PC and router to make sure it is the one advised by your ISP or belonging to trusted public DNS providers like Cloudflare (188.8.131.52), Google (184.108.40.206 and 220.127.116.11) among others.
- On Android, do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only.
- Install and maintain updated antivirus solution on your devices. Scan the suspected device with antivirus solutions to detect and clean infections.
- Prior to downloading / installing apps on Android devices (even from Google Play Store):
- Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
- Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
- In settings, do not enable installation of apps from "Untrusted Sources".
- Exercise caution while visiting trusted/untrusted sites for clicking links.
- Refer to security best practices for mobile Phone users:
- Install Android updates and patches as and when available from Android device vendors.
- Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003