Elain Brown Tech 07.19.2022 01:Jul AM EDT

Roaming Mantis: What You Have to Know About This Financially-Motivated Operation Tricking People Into Downloading Malware

Roaming Mantis phishing strategy is increasingly becoming more of a threat.

Roaming Mantis is a malware that now targets to trap thousands of victims that are iOS and Android users in France. Before moving to France, this malware appeared to different countries across the globe including U.K., US, Germany, Japan, South Korea, and Taiwan.

The threat actors behind this massive phishing campaign entices users to download the malware through SMS messaging if they use an Android device.

On the other hand, if a user is using an iOS device, then they will be redirected to a phishing page that asks for their Apple credentials.

This malware, just like any cyberattack campaign launched by mostly malicious hackers, is highly believed to be financially motivated.

The attack of the Roaming Mantis is reported to have successfully compromised a slew of users in France of approximately 70.000 Android devices.

MoqHao, also known as Wroba or XLoader for Android, is a Remote Access Trojan (RAT) for Android that spreads through SMS messages and has the ability to steal information and create backdoors.

Roaming Mantis

The Roaming Mantis smimighing messages contains an embedded malicious URL.

The URL either deploys the MoqHao Android malware, or redirects to an Apple login details credential harvesting page. The rampant activity was detected by SEKOIA.IO analysts on July 4, 2022. SEKOIA is a cybersecurity SAAS company.

If the target chooses to activate the link by clicking on it, an HTTP request will be transmitted to the server. The server's response will vary, depending on the victim's device operating system and location.

If the victims who clicked the links are not located in France, it will display a "404 Not Found" result.

However, if the user is local in France and has Android, it will lead to an Android Package Kit (APK) file. On the contrary, if the user is located in France and is using an iPhone, it will lead them to a fake Apple website.

If the user is on Android, it will entice the victims to download the malicious APK as an update for their web browser.

After the infected application has been downloaded and run by the victim, it will inquire about the user's authorization to read and send SMS messages.

This permission enables the malware to do a variety of tasks, including intercepting text messages sent from mobile phones belonging to victims.

SEKOIA.IO's investigation led them to analyze that the threat actors are targeting France due to the wide influx of victims.

Roaming Mantis's Privacy Threat

According to BleepingComputer, the malicious actors can use the malware to conduct identity theft, financial fraud, blackmail, or compromise information and data related to insurances, licenses, or bank details.

Additionally, SEKOIA.IO stated, "This activity leveraging MoqHao or Apple IDs' credential harvesting pages notably provides Roaming Mantis access to data from the local system, SD card, applications, messages or contact list, iCloud backups, iMessage, call history, as well as allowing remote interaction with a victims' device."

To avoid being a victim of the Roaming Mantis, XLoader Payload, or any malware, it is recommended to avoid downloading APKs from unusual sources.

It is also advisable not to click to any links sent via email or SMS messages that are from an unknown source. Lastly, to protect a device, Android security tools can help users flag these malicious softwares.