Kaspersky Labs has identified a new strain of Android malware that was used to misguide users to malicious websites by gaining access to their Wi-Fi routers. Called “Roaming Mantis”, the malware was utilized for stealing login credential of users ranging from online gaming accounts to email and banking sites.

The security firm was not able to identify how the hackers behind the malware were able to modify the DNS setting of victims’ routers. It, however, identified that the attack was focussed majorly in South Korea and attacked users from South Korea, India, Japan, and Bangladesh.

Despite the complex nature of these attacks, the number of victims was relatively small. It attacked only 150 IP addresses and the victims were only sent to these malicious sites 6,000 times during its two-months-long operation period between February 9 and April 9, 2018.

Hackers Combined Malware With Attack on Wi-Fi Router to Steal Information
A Kung Fu Mantis; Courtesy: BBC Earth

The sites that these users were directed to offered fake versions of popular Android apps for download, including Google Chrome and Facebook. The websites, as well as the apps, were available only in five languages – Korean, Traditional and Simplified versions of Chinese, English, and Japanese – which shows that the attack mainly targeted users in Southeast Asia.

Once downloaded, the apps used excessive permissions to access almost all the data stored on the Android smartphones of users. It was even able to bypass root permissions on rooted devices and then browse through the storage.

Hackers Combined Android Malware With Attack on Wi-Fi Router to Steal Information

But the main purpose was not stealing data – the apps were intended to stay as an overlay on top of various other app and steal the login details of popular apps including popular games, Gmail and similar communications app, and most importantly banking apps. So, these credentials were stolen to commit crimes at a later point in time.

While Android malware have become fairly common, this was the first noted attack in which hackers combined malware and DNS hijacking.