1(630)802-8605 Ravi.das@bn-inc.net

As most of us know, the top three mobile Operating System platforms are those of the iOS, Android, and the Windows mobile. The Android probably has the lion’s share of the market, followed by the iOS, and the Windows Mobile.  Because of this, the Android is a prime target for the Cyber attacker.  There have been recent reports that DNS hijacking malware that was recently found targeting Android devices is targeting iOS devices.

This specific piece of malware is known as the “Roaming Mantis”, and was primarily targeting a mobile banking app that was designed to steal an end user’s login credentials as well as the secret code to for the Two Factor Authentication (2FA) authentication mechanism.  Now, security researchers at Kaspersky Labs are saying that the Cyber attackers involved in this group are now targeting the iOS platform.

The twist  this time is that they are also adding cryptocurrency mining script for PC users.  The initial attacks were designed to target users in South Korea, China Bangladesh, and Japan.  But now, the new wave of attacks is becoming much more powerful.  For example, it can now exploit 27 languages to expand its operations to infect people all over Europe and the Middle East.

The Roaming Mantis malware is deployed via DNS hijacking, in which the Cyber attacker can easily change the DNS settings of the wireless routers to redirect the network traffic to the various malicious websites that are controlled by them.  The end result of this is that the end user will fall victim to the following:

  • Fake financial apps infected with banking malware to Android users;
  • Phishing sites to iOS users;
  • Sites with cryptocurrency mining script to desktop users.

If the victim is in possession of an iOS based device, then he or she will most likely be redirected to a phishing site that mimics the actual Apple website, with the domain name of “security.app.com”.  From here, he or she will then be prompted to enter their user ID, password, card number, card expiration date as well as the CVV number.

As also mentioned, the  Roaming Mantis malware that injects a browser-based cryptocurrency mining script from CoinHive to mine the Monero currency.  The researchers at Kaspersky Labs that the people in this particular Cyber attack group are well funded, and have extremely strong levels for financial gains at the cost of their victims.

So, given the level of sophistication of this enhanced capabilities of the “Roaming Mantis”, what can one do to protect themselves?  The security researchers at Kaspersky recommend the following:

*Make sure that the routers you are using are running the latest version of the required firmware and are also protected with a strong password (HINT:  Use a password manager for this!!).

*Make sure the sites you are visiting has HTTPS enabled in the URL.

*Disable your router’s Remote Administration feature and hardcode it with a trusted DNS server.

*Always install and download apps from the official Android stores;

*Finally, check the DNS settings in your router as well as the DNS server address. If these two values do not match the ones issued by your provider, change it back to the right ones immediately.

I know that I have mentioned the term “DNS” quite a bit in this blog.  For those of you who do not know what it is, in non technical terms, it stands for the “Domain Name Server”.  In non-technical terms, this is just one part of the entire Internet system that allows you to access Web pages in jut a matter of a few seconds.  I will explain how all of this works in future blogs.

I also forgot to mention, the version of the Roaming Mantis malware that is targeted at the iOS makes use of a series mathematical based random numbers which are 8 digits in value.

My two cents:  If you are downloading apps, especially from the Android stores, be very, very careful.  If you are unsure about an app, you can always take some time and research it on the Internet to see if has received any bad reviews.  If there are none, and you still feel uncomfortable, then just simply do not download that app at all.