Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

Safety researchers relish been warning about an ongoing malware campaign hijacking Web routers to distribute Android banking malware that steals users’ serene recordsdata, login credentials and the secret code for two-factor authentication.

In expose to trick victims into inserting within the Android malware, dubbed Roaming Mantis, hackers relish been hijacking DNS settings on inclined and poorly secured routers.

DNS hijacking assault enables hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their serene recordsdata adore login credentials, checking account info, and more.

Hijacking routers’ DNS for a malicious reason is now now not new. Previously we reported about frequent DNSChanger and Switcher—each and every the malware labored by changing the DNS settings of the wireless routers to redirect traffic to malicious web sites controlled by attackers.

Discovered by security researchers at Kaspersky Lab, the brand new malware campaign has essentially been focusing on users in Asian countries, alongside side South Korea, China Bangladesh, and Japan, since February this year.

As soon as modified, the rogue DNS settings configured by hackers redirect victims to unfounded versions of professional web sites they strive to visit and shows a pop-up warning message, which says—”To raised abilities the having a look, replace to the most up-to-date chrome version.”

It then downloads the Roaming Mantis malware app masquerading as Chrome browser app for Android, which takes permission to amass plan’ account recordsdata, arrange SMS/MMS and making calls, file audio, adjust external storage, check packages, work with file programs, design overlay windows and heaps others.

“The redirection ended in the installation of Trojanized functions named fb.apk and chrome.apk that contained Android Trojan-Banker.”

If installed, the malicious app overlays all a large selection of windows on to expose a unfounded warning message (in broken English), which reads, “Chronicle No.exists dangers, use after certification.”

Roaming Mantis then begins a local web server on the plan and launches the earn browser to originate a unfounded version of Google web sites, asking users to absorb up their names and date of births.

To convince users into believing that they are handing over this knowledge to Google itself, the unfounded page shows users’ Gmail email ID configured on their contaminated Android plan, as confirmed within the screenshots.

“After the user enters their name and date of initiating, the browser is redirected to a smooth page at http://127.Zero.Zero.1:${random_port}/submit,” researchers acknowledged. “Appropriate adore the distribution page, the malware helps 4 locales: Korean, Venerable Chinese language, Eastern and English.”

Since Roaming Mantis malware app has already won permission to read and write SMS on the plan, it enables attackers to take hold of the secret verification code for the 2-factor authentication for victims’ accounts.

Whereas analysing the malware code, Researchers found reference to current South Korean mobile banking and gaming functions, to boot to a feature that tries to detect if the contaminated plan is rooted.

“For attackers, this can even display that a plan is owned by an stepped forward Android user (a signal to stop messing with the plan) or, alternatively, an different to leverage root find entry to to impact find entry to to the total plan,” the researchers acknowledged.

What’s attention-grabbing about this malware is that it uses one among the main Chinese language social media web sites (my.television.sohu.com) as its insist-and-adjust server and sends commands to contaminated devices upright by job of updating the attacker-controlled user profiles.

According to Kaspersky’s Telemetry recordsdata, the Roaming Mantis malware became as soon as detected more than 6,000 times, though the reports came from upright 150 bizarre users.

You would possibly maybe be suggested to assemble sure your router is working the most up-to-date version of the firmware and stable with a sturdy password.

You would possibly maybe maybe additionally mute also disable router’s remote administration feature and hardcode a depended on DNS server into the working plan community settings.