On January 19, Kaspersky researchers reported the Roaming Mantis campaign uses a new domain name system (DNS) changer functionality to abuse compromised Wi-Fi routers.
Now cybercriminals can potentially infect more Android smartphones with the Wroba.o malware via compromised Wi-Fi routers in cafes, airports hotels and other public places.
At the moment, the new technique targets users in South Korea, but it will soon be expanded to other countries.
Roaming Mantis (aka Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal data. It also has a phishing option for iOS devices and crypto-mining capabilities for PCs.
The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.
New DNS changer functionality to attack more users via public routers
Kaspersky discovered that Roaming Mantis recently introduced a domain name system (DNS) changer functionality in Wroba.o (a.k.a Agent.eq, Moqhao, XLoader) – the malware that was primarily used in the campaign.
At the moment, the threat actor behind Roaming Mantis is specifically targeting South Korean Wi-Fi routers manufactured by a popular South Korean network equipment vendor.
DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of cybercriminals instead of a legitimate DNS server.
On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.
In December 2022, Kaspersky observed 508 malicious APKs downloads in South Korea (see the Table below).
An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changers.
This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website.
Japan topped the list of targeted countries with nearly 25,000 malicious APK downloads from the landings created by cybercriminals.
Kaspersky researchers predict that the perpetrators may soon update the DNS changer function to target Wi-Fi routers in those regions as well.
| Country | Number of downloaded malicious APK |
| Japan | 24,645 |
| Austria | 7,354 |
| France | 7,246 |
| Germany | 5,827 |
| South Korea | 508 |
| Turkey | 381 |
| Malaysia | 154 |
| India | 28 |
According to Kaspersky Security Network (KSN) statistics in September – December 2022, the highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%).
“The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products.
“We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions,” said Kaspersky senior security researcher Suguru Ishimaru.
In order to protect your internet connection from this infection, Kaspersky researchers recommend the following:
- Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.
- Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.
- Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.
- Check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.
- Consider installing a mobile security solution to stay protected from these and other threats.
