The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Roaming Mantis Wroba.o Android Malware

Feb 3, 2023 1:20:46 PM / by The Hivemind

Roaming Mantis Wroba.o Android Malware Related Families: Wroba.o, Xloader

Executive Summary

Kaspersky SecureList recently reported on a Roaming Mantis campaign using Wroba.o with DNS hijacking to infect routers and Android devices.

Key Takeaways

  • Roaming Mantis has a long history of targeting Android devices.
  • In a recent campaign, they used Wroba.o to infect Android devices and target certain routers with a DNS changer.
  • The campaign took advantage of mobile users’ tendency to connect to public WiFi networks at coffee shops, airports, libraries, and other commonly visited locations. 
  • Once the router is infected, any additional Android devices that connect to the router can be rerouted to phishing pages or pages hosting malicious APKs.

The Campaign

Roaming Mantis, also known as Shaoye, is the name of a longstanding set of cyber activities targeting Android devices. The financially motivated threat actors behind this activity also use phishing to steal user credentials. Roaming Mantis has previously targeted multiple Asian countries, including Japan, South Korea, and Taiwan.

Kaspersky SecureList recently reported on a Roaming Mantis campaign active as early as September 2022 that used DNS hijacking to infect Android devices. In the campaign, the threat actors leveraged Wroba.o/XLoader Android malware to compromise WiFi routers in South Korea using a DNS changer. Initial victims are typically infected via smishing texts that prompt Android users to install a malicious APK containing Wroba.o. iOS users are instead directed to a phishing page in an attempt to steal credentials.

On an infected Android device, Wroba.o/Xloader obtains the default gateway IP of the router and tries to log in to the administrator web interface using default credentials. If a targeted router model is detected, the DNS changer connects to a hardcoded vk[.]com account to retrieve another URI, which provides a rogue DNS IP address. The DNS changer then generates a URL query with the rogue DNS IP to compromise the DNS settings of the router. While Roaming Mantis has used DNS hijacking in the past, the latest campaign is the first to use malware that targets specific routers.

This campaign took advantage of mobile device users connecting to free or public WiFi in coffee shops, bars, hotels, libraries, shopping malls, and airports. Android devices connected to these routers can comprise the network drives and all other connected devices, allowing the malware to spread. Vulnerable Android devices on the affected network can be rerouted to phishing pages or have Android malware dropped on their devices.


PolySwarm has multiple samples of Wroba.o.




You can use the following CLI command to search for all Wroba.o samples in our portal:

$ polyswarm link list -f Wroba.o

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Android, Shaoye, Xloader, Roaming Mantis, DNS, Wroba.o

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts