Kaspersky Lab researchers discovered a new Android malware distributed through a domain name system (DNS) hijacking technique and targeted smartphones, mainly in Asia.
The campaign, called Mantis Roaming, is still very active and is designed to steal users' information that includes credentials and to give attackers full control over the compromised Android device.
Between February and April 2018, researchers detected the malware in more than 150 user networks, mainly in South Korea, Bangladesh and Japan, but there are likely to be many more victims.
Investigators believe that a cybercriminal group seeks funding the profit is behind the operation.
"The story was recently reported in the Japanese media, but once we did a little more research, we discovered that the threat does not originate there. In fact, we found a number of clues that the attacker behind this threat speaks Chinese or Korean.Also, most of the victims were not in Japan either, Roaming Mantis seems to focus mainly on Korea and Japan seems to have been a kind of collateral damage, "said Vitaly Kamluk, Director. of the Global Research Analysis Team (GReAT) – APAC.
The Kaspersky Lab findings indicate that the attackers behind the malware are looking for vulnerable routers to compromise and distribute the malware through the effective trick of hijacking the DNS settings of those infected routers.
The router's commitment method remains unknown.
Once the DNS is successfully hijacked, any attempt to access any website leads to a genuine-looking URL with forged content from the attacker's server.
This includes the request: "To experience better browsing, upgrade to the latest version of Chrome."
Clicking on the link starts the installation of a Trojan application called & # 39; facebook & # 39; .apk & # 39; or & # 39; chrome.apk & # 39 ;, which contains the Android back door of the attackers.
Roaming Mantis malware checks if the device is rooted and requests permission to receive notifications of any communications or browsing activity performed by the user.
It is also capable of collecting a wide range of data, including credentials for two-factor authentication.
The researchers found that some of the malware codes include references to mobile banking and popular application ID games in South Korea.
Taken together, these indicators suggest a possible financial motive behind this campaign.
While Kaspersky Lab's detection data discovered around 150 targets, a more detailed analysis also revealed thousands of connections hitting the command of the attackers control (C2) servers on a daily basis, pointing to a much larger attack scale .
The design of Mantis Roaming malware shows that it is destined for a wider distribution in Asia.
Among other things, it supports four languages: Korean, Simplified Chinese, Japanese and English.
However, the assembled artifacts suggest that the threat actors behind this attack are mainly familiar with Simplified Chinese and Korean.
"Roaming Mantis is an active and rapidly changing threat, which is why we are publishing our findings now, instead of waiting until we have all the answers, there seems to be considerable motivation behind these attacks, and we must raise awareness so that people and organizations can better recognize the threat The use of infected routers and hijacked DNS highlights the need for strong device protection and the use of secure connections, "said Suguru Ishimaru, security researcher at Kaspersky Lab Japan.
Kaspersky Lab products detect this threat as & # 39; Trojan-Banker.AndroidOS & # 39 ;. .Wroba & # 39;
In addition, to protect your Internet connection from this infection, Kaspersky Lab recommends the following:
– Consult the user manual of your router to verify that your DNS settings have not been altered or contact your ISP for support.
– Change the default login and password for the web interface of the router administrator.
– Never install the firmware of the third-party source router. Avoid the use of third-party repositories for your Android devices.  – Periodically update the firmware of your router from the official source.
(This story has not been edited by the Business Standard staff and is automatically generated from a syndicated feed)