Some time ago our experts investigated a piece of malware that they dubbed Roaming Mantis. Back then, mainly users from Japan, Korea, China, India, and Bangladesh were being attacked, so we didn’t discuss the malware in the context of other regions, since it seemed to be a local threat.
However, in the month since the report was published, Roaming Mantis has learned to speak another two dozen languages and is rapidly spreading around the world.
The malware uses compromised routers to infect Android-based smartphones and tablets, redirect iOS devices to a phishing site, and runs the CoinHive cryptomining script on desktops and laptops. It does so by means of DNS hijacking, making it hard for targeted users to detect that something’s amiss.
What is DNS hijacking
When you enter a site name in the browser address bar, the browser doesn’t actually send a request to this site. Because it can’t. The Internet operates on IP addresses, which are sets of numbers, while domain names with letters are for people, since they are easier to remember and input.
So the first thing the browser does when a URL is entered is to send a request to what is called a DNS-server (DNS is Domain Name System), which translates the ‘human’ name into the IP address of the corresponding website. It is this IP address that the browser uses to locate and open the site.
DNS hijacking is a way of fooling the browser into thinking it has matched the domain name to the correct IP address when in fact it hasn’t. Although the IP address is wrong, the original URL entered by the user is displayed in the browser address bar, so nothing looks suspicious.
There are many DNS-hijacking techniques, but the creators of Roaming Mantis have chosen perhaps the simplest and the most effective: they hijack the settings of compromised routers forcing them to use their own rogue DNS servers. That means that whatever is typed in the browser address bar of a device connected to this router, the user is redirected to a malicious site.
Roaming Mantis on Android
After the user is redirected to the malicious site, they are prompted to update the browser. This leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk).
The malware requests a whole host of permissions during the installation process, including rights to access accounts information, send/receive SMS, process voice calls, record audio, access files, display its own window on top of others, and so on. For a trusted application like Google Chrome, such a list doesn’t seem too suspicious — if the user considers this ‘browser update’ legit, they are sure to grant permissions without even reading the list.
After the application is installed, the malware uses the right to access the list of accounts to find out which Google account is used on the device. Next, the user is shown a message (it appears on top of all other open windows, since the malware also requested permission for that) saying that something is wrong with their account and that they need to sign in again. A page then opens prompting the user to enter their name and date of birth.
It appears that this data, together with the SMS permissions that grant access to the one-time codes needed for two-factor authentication, is then used by the creators of Roaming Mantis to steal Google accounts.
Roaming Mantis: world tour, iOS debut, and mining
In the beginning, Roaming Mantis knew how to display messages in four languages: English, Korean, Chinese, and Japanese. But somewhere along the line its creators decided to expand out and teach their polyglot malware another two dozen languages:
While they were at it, the creators also improved Roaming Mantis, teaching it to attack devices running iOS. It’s a different scenario from Android. It skips downloading the application and instead the malicious site displays a phishing page prompting the user to relog into the App Store right away. To add credibility, the address bar shows the reassuring address security.apple.com:
The cybercriminals do not confine themselves to stealing only Apple ID credentials; immediately after entering this data, the user is asked for a bank card number:
The third innovation that our experts uncovered concerns desktop computers and laptops. On these devices, Roaming Mantis runs the CoinHive mining script, which mines cryptocurrency straight into the pockets of the malware makers. The victim’s computer processor is loaded to the max, forcing the system to slow down and consume vast amounts of power.
More details about Roaming Mantis can be found in the original report and a fresh Securelist post with updated information about the malware.
How to protect from Roaming Mantis
- Use antiviruses on all devices: not just computers and laptops, but smartphones and tablets too.
- Regularly update all installed software on your devices.
- On Android devices, disable installation of applications from unknown sources. To do so, go to Settings -> Security -> Unknown sources.
- The router firmware should also be updated as often as possible. Don’t use unofficial firmware downloaded from shady sites.
- Always change the default administrator password on the router.
What to do if infected by Roaming Mantis
- Immediately change all passwords for accounts compromised by the malware. Cancel all bank cards for which you entered details on the Roaming Mantis phishing site.
- Install an antivirus on all your devices and run a system scan.
- Navigate to your router’s settings and check the DNS server address. If it doesn’t match the one issued by your provider, change it back to the right one.
- Change the router administrator password and update the firmware. In doing so, be sure to download it only from the official website of the router manufacturer.