Kaspersky Lab's experts claim that a malware dubbed 'Roaming Mantis' uses compromised routers to infect Android-based smartphones and tablets, redirect iOS devices to a phishing site, and runs a cryptomining script on desktops and laptops.
The malware was discovered last month and was initially considered to be a lcal threat, since it was attscking users from Japan, Korea, China, India, and Bangladesh. However, Roaming Mantis has since then learned to speak another two dozen languages and is rapidly spreading around the world.
The creators of Roaming Mantis have chosen a simple form of DNS hijacking: they hijack the settings of compromised routers forcing them to use their own rogue DNS servers. That means that whatever is typed in the browser address bar of a device connected to this router, the user is redirected to a malicious site. After the user is redirected to the malicious site, they are prompted to update the browser. This leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk).
The malware requests a whole host of permissions during the installation process, including rights to access accounts information, send/receive SMS, process voice calls, record audio, access files, display its own window on top of others, and so on. For a trusted application like Google Chrome, such a list doesn't seem too suspicious - if the user considers this 'browser update' legit, they are sure to grant permissions without even reading the list.
After the application is installed, the malware uses the right to access the list of accounts to find out which Google account is used on the device. Next, the user is shown a message (it appears on top of all other open windows, since the malware also requested permission for that) saying that something is wrong with their account and that they need to sign in again. A page then opens prompting the user to enter their name and date of birth.
It appears that this data, together with the SMS permissions that grant access to the one-time codes needed for two-factor authentication, is then used by the creators of Roaming Mantis to steal Google accounts.
Roaming Mantis: world tour, iOS debut, and mining
In the beginning, Roaming Mantis displayed messages in four languages: English, Korean, Chinese, and Japanese. But somewhere along the line its creators decided to expand out and teach their polyglot malware another two dozen languages:
While they were at it, the creators also improved Roaming Mantis, teaching it to attack devices running iOS.
Accoding to Kaspersky, the cybercriminals do not confine themselves to stealing only Apple ID credentials; immediately after entering this data, the user is asked for a bank card number.
On desktop computers and laptops, Roaming Mantis runs the CoinHive mining script, which mines cryptocurrency straight into the pockets of the malware makers. The victim's computer processor is loaded to the max, forcing the system to slow down and consume vast amounts of power.
Security experts advise users to install antiviruses on all devices and regularly update all installed software on their devices. Om Android devices, users should disable installation of applications from unknown sources.