Researchers have discovered attacks targeting Android and iPhone users in Germany and France with malicious applications and phishing pages, indicating that the Roaming Mantis SMS phishing campaign has reached Europe. Roaming Mantis is a malware distribution and credential theft campaign that distributes malicious Android apps as independent APK files outside the Google Play Store via SMS phishing (smishing).
Roaming Mantis is now targeting people in France and Germany with smishing messages and landing pages inserted on compromised reputable websites, with the help of a trojan known as ‘Wroba.’ The purpose of this trojan is to steal e-banking credentials. It spreads automatically via SMS phishing texts to anyone in the infected device’s contacts, just like other similar trojans.
The infection chain begins when the target device receives an SMS message with a brief warning about a shipping item with an included URL. If the victim clicks the URL from an Apple device, it will be sent to a phishing website where the user’s Apple login credentials will be stolen. However, if the victim has an Android smartphone, they will be sent to a landing page where they’ll be asked to install malware disguised as an Android app.
The Wroba-containing impersonated applications are primarily for Google Chrome, although they also mimic the Yamato transport and ePOST apps. The Wrogba loader and payload have grown in comparison to previous versions and are now developed in Kotlin, a Java-friendly language. The backdoor has 21 harmful commands that the attacks may use, with two new ones introduced in recent operations. “Get gallery” and “get photo” are two new commands designed to take the victim’s photographs and movies and upload them to the attacker’s servers.
Kaspersky elucidates that if sensitive material is stolen, threat actors may exploit these two new instructions for financial fraud, identity theft, blackmail, and extortion.
To keep Roaming Mantis and other Android malware from infiltrating your device, avoid downloading APKs from unknown sources and never allow packages from unknown sources to be installed. Furthermore, SMS texts with URLs should always be handled with care and suspicion, even if they are from someone known. Finally, an Android internet security product from a reputable vendor might help flag these URLs when they are visited.