French Android and iPhone Users Are Being Targetted by Roaming Mantis Financial Hackers

French Android and iPhone Users Are Being Targetted by Roaming Mantis Financial Hackers

Months after expanding to target other European countries,  the mobile threat campaign tracked as Roaming Mantis is attacking French mobile users. In a recent report by Sekoia published last week, around 70,000 Android devices have been affected by this active malware operation.

These attack chains involve Roaming Mantis, a Chinese threat actor known to be financially motivated. This threat actor is known to use one of two tactics. The first tactic includes deploying a MoqHao or XLoader, a piece of banking trojan. 

The second tactic includes redirecting iPhone users to landing pages that are experts at credential harvesting. These pages usually mimic iCloud login pages to gather information from users. 

MoqHao is an Android remote access trojan known as RAT, Wroba, or XLoader for Android. It works to steal information and has backdoor capabilities spread through SMS. 

According to Sekoia, MoqHao starts its operations with phishing SMS, where it entices the users with various package delivery-themed messages. These messages contain rogue links, which download harmful APK files if the user clicks on them. However, it does so only when it identifies that the location of the victim is within French borders. 

Suppose the location is outside France, or the device’s operating system is neither Android nor iOS. In that case, the server will respond with a 404 Not Found status code. 

Therefore, researchers believe this smishing campaign is geofenced and aims to either install Android malware or collect iCloud login credentials from Apple Users. 

MaqHao makes use of dynamic DNS service Duck DNS generated domains for the first-stage delivery infrastructure. Furthermore, the malicious app is also known to appear in Chrome web browsers. Thus, it is able to trick its users into granting it unnecessary permissions. 

Sekoia also reports that the data amassed could be used for extortion schemes and may even be sold to other threat actors for a huge sum.

Read also:

Abdul Wahab is a Software Engineer by profession and a Tech geek by nature. Having been associated with the tech industry for the last five years, he has covered a wide range of Tech topics and produced well-researched and engaging content. You will mostly find him reviewing tech products and writing blog posts. Binge-watching tech reviews and endlessly reading tech blogs are his favorite hobbies.