Newly discovered Malware called “Roaming Mantis” infiltrate the Android smartphones using a technique known as DNS hijacking and steal the sensitive information from compromised victims Android devices.
DNS hijacking is a type of Malicious attack that used to redirect the users to the malicious website when they visit the website via compromised routers or attackers modifying a server’s settings.
For an example, if the user visits the www.gbhackers.com using a well-known web Browsers but the user will be redirected into the rogue web server that contains no information about the gbhackers.com at the same time original URL will not be changed and the user will see the same URL.
This malware using compromised rogue server for redirection and it displays the malicious webpage to infected users that contain an encoded paylaod.
based on the investigation report, this attack support four different languages Korean, Simplified Chinese, Japanese and English, based on Android devices.
Aslo this Malware performs 3,000 connections to C2 infrastructure per day from the infected users Android devices and major C2 server traffic has been observed from Korean.
Malware Infection Process via DNS Hijacking
One of the Malicious Android application called chrome.apk pushed into Android users and pretending as Chrome browser for Android.
Further research revealed that this package contain an another Dalvik VM executable named test.dex when we look into the data inside of Base64 decoder.
Once extracted test.dex then it contains the main malicious payload that uses Base64 encoding technique is probably used to bypass trivial signature-based detection.
According to Kaspersky Researchers, AndroidManifest.xml contains one of the key components of the package – the permissions requested by the application from the device owner during installation.
This Malware request the apps permission when the user reboots their Android device and collecting various sensitive information using DNS Hijacking such as account information, managing SMS/MMS and making calls, recording audio, controlling external storage, checking packages, working with file systems, drawing overlay windows and so on.
Later all the stolen information will be backed up and send it via its command & control server that controlled by an attacker.
Aslo its perform an overlay with a message that says “Account No.exists risks, use after certification”, so once the victim clicks the Enter then it will redirect to its own web server on the device, and renders a page spoofing Google’s authentication on 127.0.0.1.
“There were more than 6,000 detections coming from just over 150 unique users. The most affected countries were South Korea, Bangladesh and Japan. Based on the design of the malware and our detection statistics, this malware was designed to be spread mainly in Asian countries”. Kaspersky said.