Roaming Mantis malware
Target: Primarily Asia
Attack Vector: Mobile APK’s
Summary: Roaming Mantis malware is designed to capture personal information from a target device likely to aid in fraudulent activity against the victim. The attacks are made possible via a compromised router that has had its DNS settings changed to point the target device to a compromised website in a technique known as DNS highjacking.
However, due to the nature of the infected devices being connected to Wi-Fi and connected to multiple routers, the propagation of this malware likely to spread quickly through poorly administered devices.
Risk assessment summary: The threat is assessed as 4c LOW. According to telemetry obtained by Kapsersky Lab there were more than 6,000 detections coming from just over 150 unique users indicating at this stage a small and potentially targeted campaign to date, indicating the likelihood is lower at this stage with no immediate indication of an increase in targets on a wider scale. The malware was predominantly designed to target Asian countries and is unlikely to have much success in English speaking countries due to its heavily broken English although future versions could easily improve lures.
Due to Android being the most common mobile operating system it should not be underestimated how lucrative this malware could be to both this group in the future as well as other groups that could look to improve and how much it could be propagated via unsecured routers. The impact would be considered as moderate in the event of a successful infection due to the level of access an actor would gain both with the inbuilt phishing techniques as well as gaining access to call logs, messages etc.