In this age of digital risks, protecting yourself from the constant barrage of cyberthreats is a full-time job. Cybercrime, data breaches, and internet attacks are on the rise. In fact, it is estimated that the global economy will lose around $2 trillion by 2019 due to Cybercrime.
And scammers will never run out of ideas to exploit you. Their tactics evolve as sure as technology advances. It’s like playing a game of cybersecurity whack-a-mole, as criminals think of infinite ways to secretly steal your hard-earned cash.
We’ve always been warning you about how vulnerable your router can be if it’s not configured properly. Hackers can hijack it to harvest your personal information, commandeer your smart devices, install malware on your computer and redirect your traffic to fake websites.
This newly discovered malware campaign does precisely that. If you’re not careful about, cybercriminals can quickly all drain your bank accounts without warning!
The Mantis strikes
The new malware in question is a nasty spyware/adware Android app called Roaming Mantis.This malicious app propagates itself not via third-party app downloads nor phishing scams but a technique known as DNS hijacking.
DNS hijacking of unsecured Wi-Fi routers is nothing new, of course, and we’ve talked about this technique before with malware like Switcher and other malicious DNS changers.
It’s when hackers alter your router’s DNS settings to intercept your traffic then redirect you to fake versions of legitimate sites designed to steal your credentials, banking information, and even the codes you use for two-factor authentication.
If your router’s DNS servers have been switched to the attackers’, they can hijack and redirect all your traffic to any site they want.
It’s a serious problem, indeed. Once your router is compromised and its DNS settings altered, potentially all of the computers and gadgets in your network can be exploited and targeted.
What’s a DNS?
But first, you may be wondering what DNS means. A DNS or domain name system is often called the phone book for the internet.
It translates the IP addresses of websites to domain names that are easier to read and remember (for example, Google.com is translated to the IP address 18.104.22.168 and vice-versa).
The communication between your computer and a DNS system is critical to correctly direct your web traffic.
This Mantis roams to siphon your identity
According to Kaspersky Labs researchers, once a router is compromised, cybercriminals will then use its altered DNS settings to redirect Android users to fake versions of real sites.
These fake sites will then display a pop-up warning message that states “To better experience the browsing, update to the latest chrome version.”
If you bite and click “OK,” your phone will then download and install a fake version of the Google Chrome browser, which is, in fact, the Roaming Mantis malware in disguise.
The fake Chrome browser will then ask for a variety of permissions including the collection of the device’s account information, the management of SMS and phone calls, the ability to record audio, control storage, install packages, draw overlay window, etc.
Once permissions are granted, and Roaming Mantis is installed, it will immediately show this fake warning message: “Account No.exists risks, use after certification.”
If you click “Enter” at this point, the malicious app will start a local web server on the compromised Android device, and it will open a fake version of the Google website. This site will try and fool you into entering the name and date of birth associated with your configured Gmail account.
Now here’s the rub. Since Roaming Mantis has permissions to read your SMS text messages, it allows the attackers to see and intercept all the two-factor authentication codes sent to your phone.
This means that with Roaming Mantis and compromised DNS settings, hackers can potentially get into all your social media, email accounts, and banking accounts without you knowing it (until it’s too late)!
Where did it come from?
Upon analysis of the malware code, Kaspersky Lab researchers discovered references to South Korean mobile banking and gaming applications. It also uses one of China’s leading social media sites, Sohu.com, as its command-and-control server. This suggests that Roaming Mantis has Asian origins.
As of this writing, Roaming Mantis was detected more than 6,000 times from over 150 unique users. It is flagged by Kaspersky as Trojan-Banker.AndroidOS.Wroba.
The most affected countries were South Korea, Bangladesh, and Japan but due to the nature of the attack, this campaign can spread quickly to other countries like the United States and Europe.
It’s still unknown what techniques the attackers used to hijack the DNS settings of vulnerable routers, but it’s likely via brute-forcing weak passwords or other malicious apps like Switcher.
How to protect yourself from the Roaming Mantis
As usual, please refrain from downloading and installing Android apps from unknown third-party sources. Only download apps from official app stores like Google Play and check user feedback too before installing.
It’s also wise to shore up your router’s security by changing its default administrator username and password and by updating its firmware regularly.