INFRA
INFRA
INFRA
Roaming Mantis evolves into multilevel malicious malware
Roaming Mantis, a form of Android banking malware discovered in August, has been found to be rapidly evolving, adding new platforms, capabilities and even geographical targeting to its original form.
The original form of the malware, also known as XLoader, was designed to attack via a domain name server hijack on an infected Wi-Fi router to target banking transactions on devices in Asia. The DNS hijacking aspect is now being used for a checklist of new malware functions, according to Securelist.
Those who connect to an infected Wi-Fi router using iOS devices are redirected to a phishing site pretending to be the Apple App Store asking the targeted user to enter login details. Android users are also now targeted in a similar fashion, prompted for a login to the Google Play store to steal Google account details.
Personal computer users get special attention. Roaming Mantis doesn’t ask for a login but instead injects Coinhive Javascript code onto each page they visit. So as long as they remain connected to the Wi-Fi router point, every page they visit will be mining for the Monero cryptocurrency in the background.
Extending their range outside of Asia, those behind the malware have now added support for 27 different languages. That means that when devices are run through the infected DNS, individual users are directed to appropriate fake phishing pages.
But there is more. After the initial phishing attack, Android users are prompted to install a malicious .apk file that, if executed, gives the hackers nearly full access to the device. That allows them, among other things, to install additional malicious programs. Phones that have been infected in this manner act as a trojan horse, spreading Roaming Mantis to any insecure router points they subsequently connect to — hence the use of the term roaming in its name.
Lorin Wu at Trend Micro recommends that users practice proper security hygiene to mitigate threats that may take advantage of a home or business router’s security gaps. Also, system administrators and information security professionals should configure their routers to be more resistant to attacks such as DNS cache poisoning.
Photo: Pxhere
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
