Analysis

Campaign that targets Android devices and spreads mobile malware via SMS phishing techniques since at least 2018 has spread its tentacles to strike victims located in France and Germany for the first time.

Roaming Mantis, the latest spate of activities observed in 2021 involve sending fake shipping-related texts containing a URL to a landing page from where Android users are infected with a banking trojan known as Wroba whereas iPhone users are redirected to a phishing page that masquerades as the official Apple website.

The primary goal of the campaign is to deploy Wroba, which functions both as a spyware and banking malware, with capabilities to replace legitimate apps with malicious versions and steal credentials associated with victims’ online bank accounts.

One possible scenario is that the criminals steal details from such things as driver’s licenses, health insurance cards or bank cards, to sign up for contracts with QR code payment services or mobile payment services,” the researchers said. “The criminals are also able to use stolen photos to get money in other ways, such as blackmailing.

Effected Locations

  • France,
  • Japan,
  • India,
  • China,
  • Germany,

Mitigation

  1. Avoid clicking links in advertisements
  2. Use trusted antivirus software with anti-spyware features.
  3. Quarantining suspicious emails.
  4. Get your password security under control (Eg.2FA).
  5. Don’t click on online pop-ups.
  6. Try to avoid installation of third-party software’s.
  7. Keep software patched and updated.

IOCs

 

FileHash-SHA256 [30bdf42374a5bb6a83be08f9667e0a9395e411f911dab08d9c0814d30fb0e260]
FileHash-SHA256 [1e41a9f204ed3bf567eb955f9dae119213cdf4fa3c6dacaa9bb21e95dace021f]
FileHash-SHA1 [c9f9c541920ca07912dd9686700dc86d5d1d2f57]
FileHash-SHA1 [1ec6768018b2a78115156517bff03485264ff529]
FileHash-MD5 [ddd131d7f0918ece86cc7a68cbacb37d]
FileHash-MD5 [5bafe0e5a96b1a0db291cf9d57aab0bc]
FileHash-MD5 [527b5eebb6dbd3d0b777c714e707659c]
FileHash-MD5 [4fbc28088b9bf82dcb3bf42fe1fc1f6d]
FileHash-MD5 [2942ca2996a80ab807be08e7120c2556]
FileHash-MD5 [19c4be7d5d8bf759771f35dec45f267a]

 

Reference

 

  1. https://thehackernews.com/2022/02/roaming-mantis-android-malware.html
  2. https://otx.alienvault.com/pulse/6201efee7c69c05a8dca1d41