Roaming Mantis malware is now 'spreading across the globe'

The DNS-hijacking malware that originated in Asia is now targeting iOS devices

A malware that infects smartphones through Wi-Fi routers - dubbed 'Roaming Mantis' - is rapidly spreading across the world after first emerging only a couple months ago.

Through DNS hijacking, the malware uses compromised routers to infect Android smartphones and tablets, redirect iOS devices to a phishing site, and run CoinHive, a cryptomining script, on desktops and computers.

Advertisement - Article continues below

Having until now mainly affected users in Japan, Korea, China, India and Bangladesh, Roaming Mantis has added two dozen more languages - including Arabic, Russian, and a host of European languages - and is rapidly spreading around the world, according to Kaspersky Lab, a cybersecurity company.

Roaming Mantis has chosen the simplest and most effective form of DNS hijacking, according to Kaspersky, which involves hijacking the settings of compromised routers and forcing them to use their own rogue DNS servers, meaning a user will be redirected to a malicious site if using a device connected to the compromised router.

Although the malware only affected Android devices when it first emerged, its creators have now taught it to attack iOS devices.

Android users are prompted to update the browser, before downloading a malicious app disguised as Chrome, or Facebook, which requests a series of permissions and uses these to crack two-factor authentication and hijack Google accounts.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Users of iOS, meanwhile, are redirected to a mockup of the Apple website, named security.apple.com, and are prompted to enter their login details, as well as their bank card number.

The final "innovation" researchers uncovered was Roaming Mantis running a CoinHive mining script on desktops and laptops - loading processes to the max and consuming vast amounts of power to mine cryptocurrency for its creators.

Roaming Mantis was first detected in March, Kaspersky said, in Japanese reports of hijacked DNS settings on routers redirecting users to malicious IP addresses - leading the cybersecurity company to publish initial research into the malware last month.

"During our research we received some invaluable information about the true scale of this attack. There were thousands of daily connections to the command and control (C2) infrastructure, with the device locale for the majority of victims set to Korean," wrote junior researcher Suguru Ishimaru.

"Since we didn't find a pre-existing name for this malware operation, we decided to assign a new one for future reference. Based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection, we decided to call it 'Roaming Mantis'."

Advertisement - Article continues below

Kaspersky concluded at the time that Roaming Mantis was designed to be spread mainly in Asian countries, with 98% of affected devices configured to Korean, with language support later being added for Traditional Chinese, English and Japanese.

But Roaming Mantis's expansion shows its creators are keen to exploit the malware's effectiveness by adding support for 24 further languages and spreading its reach globally.

The threat of malware seems ever-present and constantly growing, with Symantec researchers this month uncovering a series of malicious apps sneaking back on to the Google Play Store simply by changing their names after having been removed in the past.

Meanwhile, further research by Symantec earlier this year showed instances of crypto jacking, of which Roaming Mantis's manifestation on desktop and laptop machines is a typical example, surged 8,500% year-on-year in the final quarter of 2017.

Kaspersky included several steps to assist users infected with Roaming Mantis, including the installation of antivirus software on all infected devices, followed by a deep clean after its removal that entails changing passwords and cancelling bank cards, changing the router administrator password and updating the firmware, as well as verifying that their router's DNS server address matches the one issued by the ISP.

Picture: Suttipon Yakham/Shutterstock 

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/malware/355093/evasive-malware-threats-are-surging
malware

Evasive malware threats doubled in 2019

24 Mar 2020
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

2 Mar 2020
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/security/phishing/355120/hackers-pose-as-three-to-exploit-high-data-demand
phishing

Hackers target Three customers with "sophisticated" phishing scam

26 Mar 2020