Smishing Campaigns Target Europeans with 'Roaming Mantis' Android Malware

 Short News:- 

Android users are infected with a banking trojan known as Wroba, while iPhone users are redirected to a phishing page that masquerades as the official Apple website. Kaspersky: The most severely affected countries are France, Japan, India, China, Germany, and Korea.

Detailed News:- 

In France and Germany for the first time, a financially motivated campaign that has targeted Android devices and spread mobile malware via SMS phishing techniques since at least 2018 has extended its tentacles to strike victims in those countries.

The latest wave of activities observed in 2021 has been dubbed Roaming Mantis and involves sending bogus shipping-related texts that contain a URL to a landing page from which Android users are infected with a banking trojan known as Wroba, while iPhone users are redirected to a phishing page that masquerades as the official Apple website, according to researchers.

In accordance with telemetry data collected by Kaspersky between July 2021 and January 2022, the most severely affected countries are France, Japan, India, China, Germany, and Korea. France is the most severely affected country.

The group's activity has been tracked under the names MoqHao and XLoader (which should not be confused with the information-stealer malware of the same name that targets Windows and macOS), and its geographical reach has grown even as the operators have broadened their attack methods to mine cryptocurrency from Apple devices while avoiding detection.

In order to achieve its primary objective, the campaign is attempting to distribute Wroba, which is capable of acting as both spyware and banking malware, replacing legitimate applications with malicious versions and stealing credentials associated with victims' online banking accounts.

Further examination of the malware's artifacts revealed a switch from the Java programming language to the Kotlin programming language, as well as the addition of two new backdoor commands that allow Wroba to exfiltrate photo galleries and other data from infected computers.

As the researchers explained, "one possible scenario is that criminals steal information from things such as driver's licenses and health insurance cards, as well as bank cards, and use it to sign up for contracts with QR code payment services or mobile payment services." "Criminals can also use stolen photos to obtain money in other ways, such as through blackmail or sextortion," says the author.