The Roaming Mantis Android malware campaign has descended to Europe, quickly infesting France in particular, where there have been 66,789 downloads of the group’s specific Remote Access Trojan (RAT) as of Jan.
The ‘smishing’ group lived up to its name, expanding globally & adding image exfiltration to the Wroba RAT it uses to infect mobile victims.
The campaign pushes the Android RAT known as Wroba (aka Moqhao or XLoader) onto victim devices.
Victim Device
According to research from Kaspersky, it has been updated with the ability to take images & galleries from a victim device, which potentially leads to lifting sensitive information from things such as drivers’ licenses, abusing stored QR codes for payment services, or even for blackmail or sextortion.
Roaming Mantis has been on the move since 2018, mostly observed in Japan, South Korea & Taiwan. Now, its arrival in France has resulted in that country seeing the highest volume of attacks worldwide, according to researchers at Kaspersky. There have also been detections in Germany.
Smishing
“The actor is focusing on expanding infection via smishing to users in Europe,” Kaspersky researchers noted in a Mon. writeup. “The campaign in France & Germany was so active that it came to the attention of the German police & French media.”
The campaign typically spreads via “smishing” – i.e., SMS-based phishing, usually impersonating Google Chrome or a region-specific entity such as Yamato Transport in Japan.
“Typically, the smishing messages contain a very short description & a URL to a landing page,” they explained. “If a user clicks on the link & opens the landing page, there are 2 scenarios: iOS users are redirected to a phishing page imitating the official Apple website, while the Wroba malware is downloaded on Android devices.”
Infected Device
The Wroba RAT has a feature that checks the region of the infected device in order to display a phishing page in the corresponding language. In the past, it has checked for Asian regions, but Germany & France have been added as well, according to Kaspersky.
Interestingly, researchers also found that for non-targeted regions, the landing page blocks the connection from the source IP address, so the user just receives a fake “404” error page.
Recent Updates
The criminal group behind Roaming Mantis has recently updated some of its other tactics & tools, including adding various extra techniques in order to evade detection.
“1st, the actor changed the programming language from Java to Kotlin, a programming language designed to interoperate fully with Java,” researchers explained. “Then…the data structure of the embedded payload…was also modified.”
The 1st-stage payload, a loader that fetches Wroba, is now encased in a carapace of junk code, the researchers found. It is an .ELF file was embedded into the .APK file that is downloaded to the device.
Java Native Interface
The .ELF file uses Java Native Interface (JNI) to install the 2nd-stage payload, for decryption & also part of the loading feature, according to the researchers.
“The loader function takes each section of data from the embedded data, except the junk data,” they explained. “Then, the encrypted payload is XORed using the embedded XOR key. After the XOR operation, as with previous samples, the data is decompressed using zlib to extract the payload, a Dalvik Executable (DEX) file.”
The decrypted payload is then saved & executed to infect the malicious main module on victim devices.
Stealing Images
As for the Wroba backdoor itself, the RAT has received 2 new data-stealing commands: “get_photo” and “get_gallery.” This brings the total number of embedded backdoor commands to 21, according to Kaspersky.
“These new backdoor commands are added to steal galleries and photos from infected devices,” researchers noted.
Get Money
“This suggests the criminals have 2 aims in mind. 1 possible scenario is that the criminals steal details from such things as driver’s licenses, health insurance cards or bank cards, to sign up for contracts with QR code payment services or mobile payment services.
The criminals are also able to use stolen photos to get money in other ways, such as blackmail or sextortion.”
They added, “We predict these attacks will continue in 2022 because of the strong financial motivation.”