Newly discovered Malware called “Roaming Mantis” infiltrate the Android smartphones using a technique known as DNS hijacking and steal the sensitive information from compromised victims Android devices.
DNS hijacking is a type of Malicious attack that used to redirect the users to the malicious website when they visit the website via compromised routers or attackers modifying a server’s settings.
For an example, if the user visits the www.gbhackers.com using a well-known web Browsers but the user will be redirected into the rogue web server that contains no information about the gbhackers.com at the same time original URL will not be changed and the user will see the same URL.
This malware using compromised rogue server for redirection and it displays the malicious webpage to infected users that contain an encoded paylaod.
based on the investigation report, this attack support four different languages Korean, Simplified Chinese, Japanese and English, based on Android devices.
Aslo this Malware performs 3,000 connections to C2 infrastructure per day from the infected users Android devices and major C2 server traffic has been observed from Korean.
Also Read: 70% Of Chrome VPN Extensions Leak Your DNS Requests
Malware Infection Process via DNS Hijacking
One of the Malicious Android application called chrome.apk pushed into Android users and pretending as Chrome browser for Android.
This Malicious Android package contains Dalvik VM executable file called classes.dex which is used to read the file named /assets/db.
Further research revealed that this package contain an another Dalvik VM executable named test.dex when we look into the data inside of Base64 decoder.
Once extracted test.dex then it contains the main malicious payload that uses Base64 encoding technique is probably used to bypass trivial signature-based detection.
According to Kaspersky Researchers, AndroidManifest.xml contains one of the key components of the package – the permissions requested by the application from the device owner during installation.
This Malware request the apps permission when the user reboots their Android device and collecting various sensitive information using DNS Hijacking such as account information, managing SMS/MMS and making calls, recording audio, controlling external storage, checking packages, working with file systems, drawing overlay windows and so on.
Later all the stolen information will be backed up and send it via its command & control server that controlled by an attacker.
Aslo its perform an overlay with a message that says “Account No.exists risks, use after certification”, so once the victim clicks the Enter then it will redirect to its own web server on the device, and renders a page spoofing Google’s authentication on 127.0.0.1.
“There were more than 6,000 detections coming from just over 150 unique users. The most affected countries were South Korea, Bangladesh and Japan. Based on the design of the malware and our detection statistics, this malware was designed to be spread mainly in Asian countries”. Kaspersky said.
Malicious hosts:
114.44.37[.]112
118.166.1[.]124
118.168.193[.]123
128.14.50[.]146
128.14.50[.]147
220.136.111[.]66
220.136.179[.]5
220.136.76[.]200
43.240.14[.]44
haoxingfu01.ddns[.]net
shaoye11.hopto[.]org
Malicious apks:
03108e7f426416b0eaca9132f082d568
1cc88a79424091121a83d58b6886ea7a
2a1da7e17edaefc0468dbf25a0f60390
31e61e52d38f19cf3958df2239fba1a7
34efc3ebf51a6511c0d12cce7592db73
4d9a7e425f8c8b02d598ef0a0a776a58
808b186ddfa5e62ee882d5bdb94cc6e2
904b4d615c05952bcf58f35acadee5c1
a21322b2416fce17a1877542d16929d5
b84b0d5f128a8e0621733a6f3b412e19
bd90279ad5c5a813bc34c06093665e55
ff163a92f2622f2b8330a5730d3d636c
class.dex:
19e3daf40460aea22962d98de4bc32d2
36b2609a98aa39c730c2f5b49097d0ad
3ba4882dbf2dd6bd4fc0f54ec1373f4c
6cac4c9eda750a69e435c801a7ca7b8d
8a4ed9c4a66d7ccb3d155f85383ea3b3
b43335b043212355619fd827b01be9a0
b7afa4b2dafb57886fc47a1355824199
f89214bfa4b4ac9000087e4253e7f754
test.dex:
1bd7815bece1b54b7728b8dd16f1d3a9
307d2780185ba2b8c5ad4c9256407504
3e4bff0e8ed962f3c420692a35d2e503
57abbe642b85fa00b1f76f62acad4d3b
6e1926d548ffac0f6cedfb4a4f49196e
7714321baf6a54b09baa6a777b9742ef
7aa46b4d67c3ab07caa53e8d8df3005c
a0f88c77b183da227b9902968862c2b9
