A blog post titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’ was published in April 2018, by the Kaspersky Lab, which spoke particularly about this Malware.
The malware i.e. Roaming Mantis utilizes Android malware which is intended to spread by means of DNS hijacking and targets Android gadgets specifically. This activity is said to be found for the most parts in Asia (South Korea, Bangladesh and Japan) in view of the telemetry data by the Kaspersky Lab.
Potential victims were supposedly redirected by DNS hijacking to a pernicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed by the users manually. The application in reality contained an Android Trojan-Banker.
Not long after their publication it was drawn out into the open that various other researchers were also additionally concentrated on this malware family. In May though, while the Roaming Mantis also known as MoqHao and XLoader, was being monitored, the scientists at the Kaspersky Lab observed some very significant changes in their M.O.
“The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition to that, the criminals also added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”
According to Kaspersky Lab’s researcher Suguru Ishimaru, the last crusade including Roaming Mantis was likewise dissected by the Kaspersky Lab and the discoveries were point by point in its blog post “The Roaming Mantis campaign evolved significantly in a short period of time.”
The attacks have been extended to around 27 different languages including English, Hindi, Russian, Chinese, and Hebrew. Initially the malware was dispersed in five dialects only however now the range has been extended by utilizing an automatic translator. The full rundown of dialects is available here :
Roaming Mantis is likewise said to be well-equipped for stealing private and sensitive data and necessary related information from Apple and Android phones while cryptocurrency mining is performed by the accretion of a special script present in the malware’s HTML source code, which gets executed at whatever point the browser is opened.