Kaspersky Detects Android Malware, Sounds Alarm Bell

Researchers at Kaspersky Lab, a 20-year-old leading global cyber security company, have now discovered a new Android malware, which is being distributed through a domain name system (DNS) hijacking technique and targeting smartphones, mostly in Asia.

Billed as ‘Roaming Mantis’, the campaign remains highly active and is designed to steal user information including credentials and to provide attackers with full control over the compromised Android device. Within a short period between February and April 2018, Kaspersky researchers detected the malware in more than 150 user networks, mainly in countries like South Korea, Bangladesh, and Japan. It is apprehended that there are many more victims. Researchers are of the view that a cybercriminal group looking for financial gain is behind the entire operation.

Vitaly Kamluk, director, Global Research Analysis Team (GReAT) - APAC, Kaspersky Lab pointed out that the story had been recently reported in the Japanese media. Following some research on the issue, Kaspersky researchers found that the threat had not originated in Japan. Interestingly, the research suggested that the actual attacker behind this threat speaks either Chinese or Korean. The research also found that the majority of victims were not located in Japan either. Roaming Mantis seems to be focusing mainly on Korea. It seems that Japan has been a kind of collateral damage.

The study also indicated that the prime attackers behind the malware seek out vulnerable routers for compromising and distributing the malware through a simple yet very effective trick of hijacking the DNS settings of those infected routers. Interestingly, the method of router compromise still remains unknown. Once the DNS is successfully hijacked, any attempt by users to access any website leads them to a genuine-looking URL with forged content coming from the attackers’ server. This includes the request: “To better experience the browsing, update to the latest chrome version.” Clicking on the link initiates the installation of a Trojanized application named either ‘facebook.apk’ or ‘chrome.apk’, which contains the attackers’ Android backdoor.

While Kaspersky Lab’s detection data uncovered around 150 targets, further analysis also revealed thousands of connections hitting the attackers’ command & control (C2) servers on a daily basis, pointing to a far larger scale of attack.