Security News > 2023 > January > Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers
The Roaming Mantis malware distribution campaign has updated its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.
O/XLoader Android malware that detects vulnerable WiFi routers based on their model and changes their DNS. The malware then creates an HTTP request to hijack a vulnerable WiFi router's DNS settings, causing connected devices to be rerouted to malicious web pages hosting phishing forms or dropping Android malware.
O/XLoader Android malware variant was discovered by Kaspersky researchers, who have been tracking Roaming Mantis activity for years.
Kaspersky explains that Roaming Mantis has been using DNS hijacking since at least 2018, but the new element in the latest campaign is that the malware targets specific routers.
With the router's DNS settings now changed, when other Android devices connect to the WiFi network, they will be redirected to the malicious landing page and prompted to install the malware.
Although there are no landing pages for U.S.-based targets, and Roaming Mantis doesn't appear to be actively targeting router models used in the country, Kaspersky's telemetry shows that 10% of all XLoader victims are in the U.S. Users can protect themselves from the Roaming Mantis campaigns by avoiding clicking on links received via SMS. However, even more importantly, avoid installing APKs outside Google Play.
News URL
Related news
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Android malware "FakeCall" now reroutes bank calls to attackers (source)
- New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls (source)
- Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network (source)
- New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers (source)
- Cyber crooks push Android malware via letter (source)
- Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries (source)
- SpyLoan Android malware on Google play installed 8 million times (source)
- 8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play (source)
- New DroidBot Android banking malware spreads across Europe (source)