DNS-Hijacking Malware Targeting Mobile & Desktop Users Worldwide

Roaming Mantis malware was originally discovered targeting routers to distribute android banking malicious code. The main goal was to steal user credentials and get the secret code for two-factor authentication.

Now, it was discovered that the criminal hackers who created the malware upgraded its code to target both iOS devices and desktops. This can be done by adding phishing attacks for iOS users and crypto mining code for desktop users. In addition, in the first version of Roaming Mantis it was designed to target Asian country users such as: China, Japan, Bangladesh, South Korea and now, the new campaign supports more than 25 languages to reach a wider distribution and infect users in the Middle East and Europe.

As with the previous version, the new version of Roaming Mantis’ malicious code is distributed by DNS-Hijacking. In this case, the attacker modifies the wireless router DNS settings and from then on, the user is redirected to malicious domains controlled by the attacker. Thus, when a user wants to access a website with the compromised router, they are redirected to dishonest websites such as infected fake apps with banking malware for android users, crypto-mining domains for PC users, and phishing sites for iOS users.

To stay under the radar, the fake websites generate eight random number file names. Moreover, with malicious apk files, they create new packages in real time.

When a user installs one of the fake apps, the attacker can control the android devices with backdoor commands such as: sendSms, lock, call, ping, etc.

For IOS users, the malicious code redirects to phishing sites that completely mimic the Apple website ‘security.app.com.’ The users are asked to enter their user ID, password and all credit card information.

And this is not only about stealing information from users. Roaming Mantis also injects browser-based cryptocurrency mining scripts from Coin Hive for every landing page.

How to protect against Roaming Mantis

  • Ensure you are up to date! Check your router version and upgrade it to the latest firmware version.
  • Protect your router with a strong password.
  • The router’s remote admin features should be disabled.
  • Hardcode a trusted DNS server into your network settings.
  • Android users – install apps only from official stores and trusted websites. It is always good to disable the installation from unknown sources in your device settings.
  • If you think that your routers are already compromised, check your DNS settings and DNS server address, it should match the one issued by your provider. If not, change it back and change all your passwords!