Malware

New “Roaming Mantis” Malware uses DNS Hijacking Attack to Hack Android Smartphones

Newly discovered Malware called “Roaming Mantis” infiltrate the Android smartphones using a technique known as DNS hijacking and steal the sensitive information from compromised victims Android devices.

DNS hijacking is a type of Malicious attack that used to redirect the users to the malicious website when they visit the website via compromised routers or attackers modifying a server’s settings.

For an example, if the user visits the www.gbhackers.com using a well-known web Browsers but the user will be redirected into the rogue web server that contains no information about the gbhackers.com at the same time original URL will not be changed and the user will see the same URL.

This malware using compromised rogue server for redirection and it displays the malicious webpage to infected users that contain an encoded paylaod.

based on the investigation report, this attack support four different languages Korean, Simplified Chinese, Japanese and English, based on Android devices.

Aslo this Malware performs 3,000 connections to C2 infrastructure per day from the infected users Android devices and major C2 server traffic has been observed from Korean.

Also Read: 70% Of Chrome VPN Extensions Leak Your DNS Requests

Malware Infection Process via DNS Hijacking

One of the Malicious Android application called chrome.apk pushed into Android users and pretending as Chrome browser for Android.

This Malicious Android package contains Dalvik VM executable file called classes.dex which is used to read the file named /assets/db.

Further research revealed that this package contain an another Dalvik VM executable named test.dex when we look into the data inside of Base64 decoder.

Once extracted test.dex then it contains the main malicious payload that uses Base64 encoding technique is probably used to bypass trivial signature-based detection.

According to Kaspersky Researchers, AndroidManifest.xml contains one of the key components of the package – the permissions requested by the application from the device owner during installation.

This Malware request the apps permission when the user reboots their Android device and collecting various sensitive information using DNS Hijacking such as account information, managing SMS/MMS and making calls, recording audio, controlling external storage, checking packages, working with file systems, drawing overlay windows and so on.

Later all the stolen information will be backed up and send it via its command & control server that controlled by an attacker.

Aslo its perform an overlay with a message that says “Account No.exists risks, use after certification”, so once the victim clicks the Enter then it will redirect to its own web server on the device, and renders a page spoofing Google’s authentication on 127.0.0.1.

“There were more than 6,000 detections coming from just over 150 unique users. The most affected countries were South Korea, Bangladesh and Japan. Based on the design of the malware and our detection statistics, this malware was designed to be spread mainly in Asian countries”. Kaspersky said.

Malicious hosts:
114.44.37[.]112
118.166.1[.]124
118.168.193[.]123
128.14.50[.]146
128.14.50[.]147
220.136.111[.]66
220.136.179[.]5
220.136.76[.]200
43.240.14[.]44
haoxingfu01.ddns[.]net
shaoye11.hopto[.]org

Malicious apks:
03108e7f426416b0eaca9132f082d568
1cc88a79424091121a83d58b6886ea7a
2a1da7e17edaefc0468dbf25a0f60390
31e61e52d38f19cf3958df2239fba1a7
34efc3ebf51a6511c0d12cce7592db73
4d9a7e425f8c8b02d598ef0a0a776a58
808b186ddfa5e62ee882d5bdb94cc6e2
904b4d615c05952bcf58f35acadee5c1
a21322b2416fce17a1877542d16929d5
b84b0d5f128a8e0621733a6f3b412e19
bd90279ad5c5a813bc34c06093665e55
ff163a92f2622f2b8330a5730d3d636c

To Top

Pin It on Pinterest

Share This