The threat actor known as Roaming Mantis (or Shaoye) has reportedly added a DNS changer function to its latest mobile app Wroba.o to infiltrate WiFi routers and undertake DNS hijacking.
The findings come from Kaspersky’s SecureList researchers, who published an advisory about Roaming Mantis earlier today.
According to the technical write-up, the threat actor has been conducting a long-term campaign that uses malicious Android package (APK) files to control infected Android devices and obtain device information.
“Back in 2018, Kaspersky first saw Roaming Mantis activities targeting the Asian region, including Japan, South Korea and Taiwan. At that time, the criminals compromised Wi-Fi routers for use in DNS hijacking, which is a very effective technique,” reads the advisory.
“From mid-2019 until 2022, the criminals mainly used smishing instead of DNS hijacking to deliver a malicious URL as their landing page.”
This page, Kaspersky wrote, identified the user’s device platform to deliver malicious APK files for Android or redirect to phishing pages for iOS.
“In September 2022, we […] discovered the DNS changer was implemented to target specific Wi-Fi routers. It obtains the default gateway IP address as the connected Wi-Fi router IP and checks the device model from the router’s admin web interface.”
The security researchers also discovered that the feature was implemented to mainly target WiFi routers located in South Korea. Victims of Roaming Mantis were also spotted in France, Japan, Germany, the US, Taiwan, Turkey and other regions.
“We believe that the discovery of this new DNS changer implementation is very important in terms of security,” SecureList warned.
“The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with rogue DNS settings. For instance, the attacker can redirect to malicious hosts and interfere with security product updates.”
Kaspersky said they see the potential for the group to use the DNS changer to target other regions and cause significant issues. To help companies spot Roaming Mantis’ Wroba.o infections, a list of indicators of compromise (IoC) is available in the SecureList advisory.
Its publication comes weeks after Google announced it is increasingly improving Android security with memory-safe programming languages.