Roaming Mantis is a newly released android malwares that is exclusively built for sniffing banking and other creditintials. The trojan gets installed in to the android smartphone by making use of well known penetration technique called DNS Hijacking.
What’s DNS Hijacking :
DNS is abbreviated to Domain Name Server. All of us know that Computers can only understand binary language. A DNS is the one that converts the domain name into IP address and finally the IP address is converted into binary digits. A DNS hijacking is a technique where the attacker over rides the routers custom TCP/IP settings and redirects the user to an infected malware website or a website of his choice.
Say for example, if you visit Facebook.com, the attacker on your network overrides your web request and manipulates the request with the website of his own. The result displayed in your browser is the website of his choice, under Facebook.com’s DNS. Once the attacker successful performs DNS Hijacking, he can redirect the user to Malware or phishing site and extract data from the victims. DNS Hijacking can be easily performed by tools available over internet.
How Roaming Mantis works :
The attackers first compromise the Router. After compromising, the attacker performs DNS Hijacking and redirects the user from a legit website to a download page where the malware Roaming Mantis is download. As per the attack scenarios reported till now, the attackers webpage shows that “For better experience, update to the latest version”.
Clicking Ok downloads a trojanised chrome file. This is a clone apk of chrome to which the malware is hooked with.
After installation, the trojan displays a popup in worse English than mine. Clicking “Enter” in the popup starts a local server in the device and redirects the users to a fake Gmail site where it asks for users information. Inorder to convince the users that the site legitimate, the website displays the users gmail ID. After entering the information and clicking enter, it redirects to some other page. It surreptitiously steals the data whenever you perform any online transaction through payment gateways. Also, it steals all other creditintials like those of social networks and other username passwords. Over 6000 cases were registered till now on this malware. It keeps wide spreading on countries like China, Japan, Bangladesh and other Asian countries. The malware as said by the security researchers possess four languages.
- Chinese (traditional)
- Japanese and
How to Stay safe from Roaming Mantis Malware :
Monitor your router activity.
Turn on Mac address based authentication instead of keeping Passwords for your Wifi.
Wifi is the main entry gateway through which this malware spreads.
Update your Router firmware to the latest version.
Keep changing your password once a week.
Source : Securelist.com