Kaspersky security researchers found a new Android malware, called Roaming Mantis, distributed through a simple trick based on DNS hijacking.
The developers of Roaming Mantis malware operate like someone who has swapped out your phone book with one they created, where all of the important phone numbers have been changed to call the bad actors’ friends instead of the bank you were trying to call.
Then, whomever answered the phone managed to convince you they actually are the bank you thought you were calling. You answer your security questions over the phone and when you hang up, the bad actor then calls your bank and successfully masquerades as you since they now have the answers to your security questions.
This is all a flawed analogy since no one uses phone books anymore, however, if you replace “phone books” with “DNS”, it is not an analogy anymore. It is a real cyber attack which presently targets mobile phone users in Asia attempting to steal their banking details.
Last month, the reports about hacked routers in Japan redirecting users to compromised websites were released. According to the Kaspersky Lab investigation, the cyber attack is targeting users in Asia with fake websites customized for English, Korean, Japanese, and Simplified Chinese. The statistics of the infection shows that currently the most impacted users are situated in Bangladesh, Japan and South Korea.
The cyber attack begins when a user tries to access a legitimate website through a compromised router. Instead of reaching the intended website, the user is redirected to a convincing copy of the website and will be presented with a popup dialog box which says, “To better experience the browsing, update to the latest Chrome version.”
When the user clicks on the OK button, a file called chrome.apk is downloaded, but instead of containing an updated Chrome browser, the file contains the Roaming Mantis malware.
During installation process of Roaming Mantis, the user will be prompted to authorize a number of permissions including the ability to appear on top of other applications, access the contact list, making phone calls, collecting account information, sending/receiving SMS messages, and recording audio. When these permissions have been confirmed by the user, the next stage of the compromise begins.
Using its ability to appear on top of other applications, the Roaming Mantis malware displays a warning message saying, “Account No. exists risks, use after certification.”
Once the user presses the Enter button, a fake version of a Google website hosted on a temporary web server on the phone is displayed. The fake pages show the user’s Gmail ID and ask for the user’s Name and Date of Birth. This will provide the attackers with users’ Google IDs, full names and dates of birth which is enough to start compromising banking information.
Most banks require a second authentication factor (2FA) before allowing a user to make changes, however, the Roaming Mantis malware is authorized to intercept SMS messages which should subvert many 2FA processes.
According to the experts, to keep their data safe users should secure the router first. Also, up-to-date firmware, strong passwords for admin access and disabling remote access to the administration interfaces on the router will make it difficult to compromise.
The latest attack targets DNS services running on routers. A DNS service running on a server inside your network is not at risk to this attack (but is not impervious to all attacks.) Thus, only install software from trusted app stores and pay attention to the permissions that are being requested.
