The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Roaming Mantis Wroba.o Android Malware

Feb 3, 2023 1:20:46 PM / by The Hivemind

Roaming Mantis Wroba.o Android Malware Related Families: Wroba.o, Xloader

Executive Summary

Kaspersky SecureList recently reported on a Roaming Mantis campaign using Wroba.o with DNS hijacking to infect routers and Android devices.

Key Takeaways

  • Roaming Mantis has a long history of targeting Android devices.
  • In a recent campaign, they used Wroba.o to infect Android devices and target certain routers with a DNS changer.
  • The campaign took advantage of mobile users’ tendency to connect to public WiFi networks at coffee shops, airports, libraries, and other commonly visited locations. 
  • Once the router is infected, any additional Android devices that connect to the router can be rerouted to phishing pages or pages hosting malicious APKs.

The Campaign

Roaming Mantis, also known as Shaoye, is the name of a longstanding set of cyber activities targeting Android devices. The financially motivated threat actors behind this activity also use phishing to steal user credentials. Roaming Mantis has previously targeted multiple Asian countries, including Japan, South Korea, and Taiwan.

Kaspersky SecureList recently reported on a Roaming Mantis campaign active as early as September 2022 that used DNS hijacking to infect Android devices. In the campaign, the threat actors leveraged Wroba.o/XLoader Android malware to compromise WiFi routers in South Korea using a DNS changer. Initial victims are typically infected via smishing texts that prompt Android users to install a malicious APK containing Wroba.o. iOS users are instead directed to a phishing page in an attempt to steal credentials.

On an infected Android device, Wroba.o/Xloader obtains the default gateway IP of the router and tries to log in to the administrator web interface using default credentials. If a targeted router model is detected, the DNS changer connects to a hardcoded vk[.]com account to retrieve another URI, which provides a rogue DNS IP address. The DNS changer then generates a URL query with the rogue DNS IP to compromise the DNS settings of the router. While Roaming Mantis has used DNS hijacking in the past, the latest campaign is the first to use malware that targets specific routers.

This campaign took advantage of mobile device users connecting to free or public WiFi in coffee shops, bars, hotels, libraries, shopping malls, and airports. Android devices connected to these routers can comprise the network drives and all other connected devices, allowing the malware to spread. Vulnerable Android devices on the affected network can be rerouted to phishing pages or have Android malware dropped on their devices.

IOCs

PolySwarm has multiple samples of Wroba.o.

6826475f9f9f780b24b6cbe01ca48db491e124938523508eb52bbfee5072a561

bd3ead7a492f319cfa61b854f2f5d7217b02dd9f71a8833c49bb5873d6af69f1

 

You can use the following CLI command to search for all Wroba.o samples in our portal:

$ polyswarm link list -f Wroba.o


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Android, Shaoye, Xloader, Roaming Mantis, DNS, Wroba.o

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More