The Roaming Mantis smishing campaign has been running since 2018, predominantly in South Asia. Attackers are impersonating a logistics company aiming to steal SMS messages and contact lists of Android users.
As McAfee Mobile Research team reported, since January 2021, the Roaming Mantis’ operators have switched to targeting Japanese users with a new malware SmsSpy. The main purpose of this campaign according to McAfee researchers is to steal phone numbers and SMS messages from victims.
McAfee researchers say during the ongoing smishing campaign attackers targeted Asian users using such mobile malware as MoqHao, SpyAgent, and FakeSpy.
The newly discovered SmsSpy malware uses a modified infrastructure and payloads.
During the initial stage of the attack, a phishing page determined the OS version of Android users and depending on the OS, downloaded different malicious payloads. This way, attackers could infect a much broader range of Android devices. If the version was Android OS 10 or later, the page would offer to download a fake Google Play app. If it was Android 9 or earlier, a fake Chrome app would be downloaded. In this way, attackers avoided changing the malware’s code with each major Android OS upgrade.
Researchers describe one smishing campaign, in which attackers mimic messages of a Bitcoin operator and direct the victim to a phishing login page.
During the second phase of the attack, the malware masquerades as a Chrome or Google Play security service app that then asks the user’s permission to be a default messaging application in order to steal the victim’s contacts and SMS messages.
The fake app showed the following messages to Japanese users:
“At first startup, a dialog requesting permissions is displayed. If you do not accept it, the app may not be able to start, or its functions may be restricted.”
“Secure Internet Security. Your device is protected. Virus and Spyware protection, Anti-phishing protection and Spam mail protection are all checked.”
The malware establishes a WebSocket connection for communication with the attacker’s command and control (C2) server. The malware exfiltrates the Android OS version, phone number, internet connection type (4G/Wi-Fi), device model, and device ID of the infected device to the attackers’ C2 server and listens for further commands.
McAfee believes there are several hacker groups in this campaign developing their attack infrastructures and malware separately.