In companionship to flim-flam victims into installing the Android malware, dubbed Roaming Mantis, hackers cause got been hijacking DNS settings on vulnerable in addition to poorly secured routers.
DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages in addition to redirect users to phishing pages designed to flim-flam them into sharing their sensitive information similar login credentials, banking concern occupation organisation human relationship details, in addition to more.
Hijacking routers' DNS for a malicious role is non new. Previously nosotros reported close widespread DNSChanger in addition to Switcher—both the malware worked past times changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled past times attackers.
Discovered past times safety researchers at Kaspersky Lab, the novel malware campaign has primarily been targeting users inwards Asian countries, including South Korea, China Bangladesh, in addition to Japan, since Feb this year.
Once modified, the rogue DNS settings configured past times hackers redirect victims to simulated versions of legitimate websites they endeavor to catch in addition to displays a pop-up alert message, which says—"To amend sense the browsing, update to the latest chrome version."
"The redirection led to the installation of Trojanized applications named facebook.apk in addition to chrome.apk that contained Android Trojan-Banker."If installed, the malicious app overlays all other windows straightaway to exhibit a simulated alert message (in broken English), which reads, "Account No.exists risks, work subsequently certification."
Roaming Mantis thus starts a local spider web server on the device in addition to launches the spider web browser to opened upward a simulated version of Google website, shout out for users to fill upward up their names in addition to appointment of births.
"After the user enters their cite in addition to appointment of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit," researchers said. "Just similar the distribution page, the malware supports 4 locales: Korean, Traditional Chinese, Japanese in addition to English."Since Roaming Mantis malware app has already gained permission to read in addition to write SMS on the device, it allows attackers to pocket the surreptitious verification code for the two-factor authentication for victims' accounts.
While analysing the malware code, Researchers establish reference to pop South Korean mobile banking in addition to gaming applications, every bit good every bit a part that tries to honour if the infected device is rooted.
"For attackers, this may betoken that a device is owned past times an advanced Android user (a signal to halt messing amongst the device) or, alternatively, a gamble to leverage root access to arrive at access to the whole system," the researchers said.What's interesting close this malware is that it uses i of the leading Chinese social media websites (my.tv.sohu.com) every bit its command-and-control server in addition to sends commands to infected devices but via updating the attacker-controlled user profiles.
You are advised to ensure your router is running the latest version of the firmware in addition to protected amongst a rigid password.
You should likewise disable router's remote direction characteristic in addition to hardcode a trusted DNS server into the operating organisation network settings.
