Security News > 2023 > January > Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers
The Roaming Mantis malware distribution campaign has updated its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.
O/XLoader Android malware that detects vulnerable WiFi routers based on their model and changes their DNS. The malware then creates an HTTP request to hijack a vulnerable WiFi router's DNS settings, causing connected devices to be rerouted to malicious web pages hosting phishing forms or dropping Android malware.
O/XLoader Android malware variant was discovered by Kaspersky researchers, who have been tracking Roaming Mantis activity for years.
Kaspersky explains that Roaming Mantis has been using DNS hijacking since at least 2018, but the new element in the latest campaign is that the malware targets specific routers.
With the router's DNS settings now changed, when other Android devices connect to the WiFi network, they will be redirected to the malicious landing page and prompted to install the malware.
Although there are no landing pages for U.S.-based targets, and Roaming Mantis doesn't appear to be actively targeting router models used in the country, Kaspersky's telemetry shows that 10% of all XLoader victims are in the U.S. Users can protect themselves from the Roaming Mantis campaigns by avoiding clicking on links received via SMS. However, even more importantly, avoid installing APKs outside Google Play.
News URL
Related news
- PixPirate Android malware uses new tactic to hide on phones (source)
- TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service (source)
- Vultur banking malware for Android poses as McAfee Security app (source)
- Multiple botnets exploiting one-year-old TP-Link flaw to hack routers (source)
- SoumniBot malware exploits Android bugs to evade detection (source)
- New Brokewell malware takes over Android devices, steals data (source)
- New 'Brokewell' Android Malware Spread Through Fake Browser Updates (source)
- New Wpeeper Android malware hides behind hacked WordPress sites (source)
- New Cuttlefish malware infects routers to monitor traffic for credentials (source)
- Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers (source)