Roaming Mantis targets french Android and iPhone users

Several months after it extended its reach to target European countries, the mobile threat campaign known as Roaming Mantis has been connected to a new wave of breaches focused against French mobile phone users. Sekoia said in a report that the active malware operation is believed to have infected no less than 70,000 Android smartphones.

Roamin Mantis Malware 1024x506

Attack chains that involve Roaming Mantis, a financially motivated Chinese threat actor, have been known to either deploy a piece of banking trojan known as MoqHao (aka XLoader) or redirect iPhone users to credential-harvesting landing pages that mimic the iCloud login page. Both of these tactics are known to be used to steal login credentials.

Researchers from Sekoia revealed that MoqHao, also known as Wroba or XLoader for Android, is a sort of Android remote access Trojan (RAT) that is capable of collecting information and opening backdoors. It is suspected that the threat most likely spreads via SMS.

It all begins with a phishing SMS, also known as smishing, which lures users in with messages having a topic related to package delivery that contains rogue links that the users should follow. These links, when clicked on, proceed to download the malicious APK file, but only after determining whether the victim is located within the borders of France.

According to the researchers’ findings, the smishing campaign is geofenced and tries to install Android malware or acquire Apple iCloud credentials from the targeted victims.

If the recipient’s device does not use Android or iOS as its operating system – which can be determined by looking at the IP address and the User-Agent string – the server is programmed to respond with a “404 Not found” status code. The same  “404 Not found” response appears if the recipient’s location is outside France.

In most cases, MoqHao’s first-stage delivery infrastructure is composed of domains that are created by the dynamic DNS provider Duck DNS. In addition, the malicious program pretends to be the Chrome web browser application to deceive users into giving it the authorization to access private information.

The data-stealing Trojan offers a gateway window for remote interaction with the infected devices, which enables the attackers to silently collect sensitive data such as iCloud data, contact lists, phone history, and SMS messages, amongst other types of information.

In relation to the recent revelations, Sekoia warns that the collected data may be put to use in different extortion schemes or might even be sold to other threat actors for a profit.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment