INFRA
INFRA
INFRA
Roaming Mantis evolves into multilevel malicious malware
Roaming Mantis, a form of Android banking malware discovered in August, has been found to be rapidly evolving, adding new platforms, capabilities and even geographical targeting to its original form.
The original form of the malware, also known as XLoader, was designed to attack via a domain name server hijack on an infected Wi-Fi router to target banking transactions on devices in Asia. The DNS hijacking aspect is now being used for a checklist of new malware functions, according to Securelist.
Those who connect to an infected Wi-Fi router using iOS devices are redirected to a phishing site pretending to be the Apple App Store asking the targeted user to enter login details. Android users are also now targeted in a similar fashion, prompted for a login to the Google Play store to steal Google account details.
Personal computer users get special attention. Roaming Mantis doesn’t ask for a login but instead injects Coinhive Javascript code onto each page they visit. So as long as they remain connected to the Wi-Fi router point, every page they visit will be mining for the Monero cryptocurrency in the background.
Extending their range outside of Asia, those behind the malware have now added support for 27 different languages. That means that when devices are run through the infected DNS, individual users are directed to appropriate fake phishing pages.
But there is more. After the initial phishing attack, Android users are prompted to install a malicious .apk file that, if executed, gives the hackers nearly full access to the device. That allows them, among other things, to install additional malicious programs. Phones that have been infected in this manner act as a trojan horse, spreading Roaming Mantis to any insecure router points they subsequently connect to — hence the use of the term roaming in its name.
Lorin Wu at Trend Micro recommends that users practice proper security hygiene to mitigate threats that may take advantage of a home or business router’s security gaps. Also, system administrators and information security professionals should configure their routers to be more resistant to attacks such as DNS cache poisoning.
Photo: Pxhere
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
