This is particularly alarming, because it means all infected mobile devices could form a botnet for malware delivery, SMiShing, and so on.
MANTIS ACTRESS FOR ANDROID
The actor is still very active in using SMiShing for Android malware distribution. This new method is currently only being applied for Korean pages, but it’s only a matter of time before it’s implemented for other languages. It is now employing yet another method – allowlisting – to achieve this. The Roaming Mantis actor is strongly motivated by financial gain and is eager to evade tracking by researchers. However, the most alarming thing we discovered was the following SMS spamming function in Wroba.j:Ĭhecking the IMSI of mobile carrier DocomoĪccording to the hardcoded IMSIs and strings shown below, the attacker seems to be targeting Docomo and Softbank mobile carriers. We believe that this was a test by the attacker. We have created some slides, Roaming Mantis: A melting pot of Android bots in Botconf2019, showing the timeline, impersonated brands, malware features and money laundering method.īased on our telemetry data, detection rates of both malicious programs were very low. These two malware families have some similarities with the other families in terms of infrastructure, distribution channel, etc. In April 2019, we observed two more malware families, Wroba.j and Fakecop. Roaming Mantis has been using Wroba.g and Wroba.f as its main Android malware. However, as it’s easy for the criminals to modify the phishing page address, apps without corresponding phishing sites are also likely to be attacked again in the near future.
In January 2020, only three of these accounts were enabled for some reason. These destination URLs are continuously changed by the attackers. The targeted packages for online banks and mobile carriers correspond to the relevant accounts on that lead to phishing sites: Pkgs or mobile carrierĪs can be seen in the table above, all the accounts have corresponding phishing sites as of December 2019 (data provided by on Twitter). Redirecting to a phishing site via malicious account on The spoofed brand icon is customized for the country it targets, for example, Sagawa Express for Japan Yamato Transport and FedEx for Taiwan CJ Logistics for South Korea and Econt Express for Russia.
MANTIS ACTRESS APK
In 2019, we confirmed another new method where a downloaded malicious APK file has an icon that impersonates a major courier company brand. It was SMiShing using a spoofed delivery notice from a logistics company. In 2018, the group added a distribution method for Wroba.g (aliases: Moqhao and XLoader), in addition to the original method of DNS hijacking. Distribution of Wroba.g via SMiShing with impersonated brands We’ve also observed new malware families: Fakecop (also known as SpyAgent by McAfee) and Wroba.j (also known as Funkybot by Fortinet). The attackers’ focus has also shifted to techniques that avoid tracking and research: allowlist for distribution, analysis environment detection and so on. The group’s attack methods have improved and new targets continuously added in order to steal more funds. Kaspersky has continued to track the Roaming Mantis campaign.
Kaspersky Advanced Cyber Incident Communications.KasperskyEndpoint Detection and Response.KasperskyPhysical, Virtual & Cloud Workloads Security.KasperskyEndpoint Security for Business Advanced.KasperskyEndpoint Security for Business Select.Kaspersky Internet Security for Android.