Security News > 2023 > January > Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers

The Roaming Mantis malware distribution campaign has updated its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.

O/XLoader Android malware that detects vulnerable WiFi routers based on their model and changes their DNS. The malware then creates an HTTP request to hijack a vulnerable WiFi router's DNS settings, causing connected devices to be rerouted to malicious web pages hosting phishing forms or dropping Android malware.

O/XLoader Android malware variant was discovered by Kaspersky researchers, who have been tracking Roaming Mantis activity for years.

Kaspersky explains that Roaming Mantis has been using DNS hijacking since at least 2018, but the new element in the latest campaign is that the malware targets specific routers.

With the router's DNS settings now changed, when other Android devices connect to the WiFi network, they will be redirected to the malicious landing page and prompted to install the malware.

Although there are no landing pages for U.S.-based targets, and Roaming Mantis doesn't appear to be actively targeting router models used in the country, Kaspersky's telemetry shows that 10% of all XLoader victims are in the U.S. Users can protect themselves from the Roaming Mantis campaigns by avoiding clicking on links received via SMS. However, even more importantly, avoid installing APKs outside Google Play.

News URL

https://www.bleepingcomputer.com/news/security/roaming-mantis-android-malware-adds-dns-changer-to-hack-wifi-routers/