Multilingual malware hits Android devices for phishing & cryptomining

Roaming Mantis malware also targets iOS devices for phishing attacks.

‘Roaming Mantis uses DNS hijacking to infect Android smartphones’ was the title of a blog post from Kaspersky Lab published in April 2018 that provided details about the notorious Roaming Mantis malware that performs targeted operation to hijack Android devices. The malware is believed to be evolving rapidly and aims at capturing sensitive user data by infecting the Android device.

“Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC,” read Kaspersky Lab’s blog post.

In fact, it is capable of performing an array of diverse functionalities including cryptocurrency mining and iOS device phishing apart from targeting Android devices for stealing information. As per Kaspersky Lab’s researcher Suguru Ishimaru, the previous campaign involving Roaming Mantis was also analyzed by Kaspersky Lab and the findings were detailed in its blog post “The Roaming Mantis campaign evolved significantly in a short period of time.”

The attacks have been expanded to around 27 different languages including English, Hindi, Russian, Chinese, and Hebrew. Originally the malware was distributed in five languages but now the range has been expanded using an automatic translator. The full list of languages can be accessed here.

The New Multilingual Android Malware Targeting Devices for Phishing and Cryptomining.
Image credit: Kaspersky

Developed to be distributed through DNS hijacking, the malware is currently most active in Asian regions including Bangladesh, India, Japan and South Korea, according to Kaspersky Lab’s telemetry data analysis. However, there are also reports of the malware targeting devices in the Middle East and Europe.

Roaming Mantis, also known as MoqHao and XLoader, redirects victims to a malicious web page through DNS hijacking while the page is distributed through a fake and infected Facebook or Chrome application (titled ‘facebook.apk’ or ‘chrome.apk’). The application, which contains an Android Trojan-Banker, has to be installed manually by the victim. However, researchers noted that the comments are posted in Simplified Chinese.

To hijack iOS devices, a fake page mimicking the official Apple website is distributed that claims to be ‘’. The page requires the victim to provide user ID, passwords, CVV, card expiration and card number. Nearly 25 languages are being supported by this site’s HTML source and only Bengali and Georgian are eliminated.

Roaming Mantis is also capable of stealing private and sensitive data from Apple and Android mobile phones while cryptocurrency mining is performed by the inclusion of a special script in the malware’s HTML source code, which gets executed whenever the browser is opened.

Additionally, a Coinhive Javascript miner is executed to exploit the device’s CPU to mine Monero cryptocurrency. In comparison to other attacks, Roaming Mantis’ cryptocurrency mining is quite subtle. This means a majority of users may not even notice that their device’s resources are being used for mining.

The New Multilingual Android Malware Targeting Devices for Phishing and Cryptomining.
Image credit: Kaspersky

“Coinhive is the most popular web miner used by cybercriminals around the world. When a user connects to the landing page from a PC, the CPU usage will drastically increase because of the crypto mining activity in the browser,” explained Kaspersky Lab researchers.

So far, about 150 successful attacks have been observed but according to Kaspersky Lab, it more or less represents just a “tiny fraction of the overall picture,” since when DNS hijacking is involved, it becomes quite difficult to identify targets.

Related Posts