Months after expanding to target other European countries, the mobile threat campaign tracked as Roaming Mantis is attacking French mobile users. In a recent report by Sekoia published last week, around 70,000 Android devices have been affected by this active malware operation.
These attack chains involve Roaming Mantis, a Chinese threat actor known to be financially motivated. This threat actor is known to use one of two tactics. The first tactic includes deploying a MoqHao or XLoader, a piece of banking trojan.
The second tactic includes redirecting iPhone users to landing pages that are experts at credential harvesting. These pages usually mimic iCloud login pages to gather information from users.
MoqHao is an Android remote access trojan known as RAT, Wroba, or XLoader for Android. It works to steal information and has backdoor capabilities spread through SMS.
According to Sekoia, MoqHao starts its operations with phishing SMS, where it entices the users with various package delivery-themed messages. These messages contain rogue links, which download harmful APK files if the user clicks on them. However, it does so only when it identifies that the location of the victim is within French borders.
Suppose the location is outside France, or the device’s operating system is neither Android nor iOS. In that case, the server will respond with a 404 Not Found status code.
Therefore, researchers believe this smishing campaign is geofenced and aims to either install Android malware or collect iCloud login credentials from Apple Users.
MaqHao makes use of dynamic DNS service Duck DNS generated domains for the first-stage delivery infrastructure. Furthermore, the malicious app is also known to appear in Chrome web browsers. Thus, it is able to trick its users into granting it unnecessary permissions.
Sekoia also reports that the data amassed could be used for extortion schemes and may even be sold to other threat actors for a huge sum.
- Some Tips to Secure Your Digital Wallet from Hackers!
- Vehicles Could Be Disrupted Remotely If GPS Tracker Remains Unpatched
- Candiru Spyware Targeting Journalists by Exploiting Google Chrome Zero-Day
- Secure Data Rooms for Businesses with Unparalleled Protection
- 7 Tips to Keep Your Computer Secure