The Roaming Mantis operators have incorporated a new DNS changer feature for its Android malware to breach WiFi routers in public places. Researchers found this threat last year and spotted new tools and tactics for this malware this year.
According to investigations, Roaming Mantis uses the new Wroba[.]o malware that includes code and hardcoded strings for reviewing the WiFi router model from a targeted router’s admin web interface.
These adversaries have implemented the DNS changer tool to compromise WiFi routers in South Korea using hardcoded strings. In addition, the DNS changer connects to the vk[.]com account to get the following destination, which gives the attackers its current rouge DNS IP addresses.
The DNS changer utilises hardcoded default credentials and creates a URL query with rogue DNS IPs to compromise the DNS settings of a targeted WiFi router.
Researchers noted that the query would depend on the model of the targeted router.
The Roaming Mantis operators use the DNS server to resolve certain domain names in specific landing pages when accessed from a mobile device. The group uses this tactic to obfuscate its activity from security researchers.
Analysts confirmed that since September last year, the group has been utilising their malware with the new DNS changer tool to establish persistence against South Korean routers.
Furthermore, a recent tally revealed the number of compromised APK downloads in the first half of December. The most affected region was Japan, garnering 24,645 downloads, followed by Austria, France, Germany, South Korea, Turkey, Malaysia, and India.
Experts believe that these threat actors could soon implement DNS changer functionality to target more WiFi routers in more regions globally.
Uncovering the new DNS changer feature is crucial for the security of Android users. Miscreants using this functionality will acquire tools to manage communications from compromised devices via infected WiFi routers.
In addition, attackers could redirect users to malicious hosts and hinder security product updates. As of now, experts suggest that Android users should avoid accessing links on sketchy SMS and avoid installing APKs from third-party sources.
