Roaming Mantis Expands Android Backdoor to Europe

The Roaming Mantis Android malware campaign has buzzed into Europe, quickly infesting France in particular, where there have been 66,789 downloads of the group’s specific remote access trojan (RAT) as of January.

The campaign pushes the Android RAT known as Wroba (aka Moqhao or XLoader) onto victim devices. According to research from Kaspersky, it has been updated with the ability to exfiltrate images and galleries from a victim device, which potentially paves the way for lifting sensitive information from things like drivers’ licenses, abusing stored QR codes for payment services, or even for blackmail or sextortion.

Roaming Mantis has been on the move since 2018, mostly observed in Japan, South Korea and Taiwan. Now, its arrival in France has resulted in that country seeing the highest volume of attacks worldwide, according to researchers at Kaspersky. There have also been detections in Germany.

“The actor is focusing on expanding infection via smishing to users in Europe,” Kaspersky researchers noted in a Monday writeup. “The campaign in France and Germany was so active that it came to the attention of the German police and French media.”

The campaign typically spreads via “smishing” – i.e., SMS-based phishing, usually impersonating Google Chrome or a region-specific entity such as Yamato Transport in Japan.

“Typically, the smishing messages contain a very short description and a URL to a landing page,” they explained. “If a user clicks on the link and opens the landing page, there are two scenarios: iOS users are redirected to a phishing page imitating the official Apple website, while the Wroba malware is downloaded on Android devices.”

The Wroba RAT has a feature that checks the region of the infected device in order to display a phishing page in the corresponding language. In the past, it has checked for Asian regions, but Germany and France have been added as well, according to Kaspersky.

Interestingly, researchers also found that for non-targeted regions, the landing page blocks the connection from the source IP address, so the user just receives a fake “404” error page.

Recent Obfuscation Updates

The criminal group behind Roaming Mantis has recently updated some of its other tactics and tools, including adding various obfuscation techniques to the proceedings in order to evade detection.

“First, the actor changed the programming language from Java to Kotlin, a programming language designed to interoperate fully with Java,” researchers explained. “Then…the data structure of the embedded payload…was also modified.”

The first-stage payload, a loader that fetches Wroba, is now encased in a carapace of junk code, the researchers found. It’s an .ELF file was embedded into the .APK file that’s downloaded to the device. The .ELF file uses Java Native Interface (JNI) to install the second-stage payload, for decryption and also part of the loading feature, according to the researchers.

“The loader function takes each section of data from the embedded data, except the junk data,” they explained. “Then, the encrypted payload is XORed using the embedded XOR key. After the XOR operation, as with previous samples, the data is decompressed using zlib to extract the payload, a Dalvik Executable (DEX) file.”

The decrypted payload is then saved and executed to infect the malicious main module on victim devices.

Stealing Images

As for the Wroba backdoor itself, the RAT has received two new data-stealing commands: “get_photo” and “get_gallery.” This brings the total number of embedded backdoor commands to 21, according to Kaspersky.

“These new backdoor commands are added to steal galleries and photos from infected devices,” researchers noted. “This suggests the criminals have two aims in mind. One possible scenario is that the criminals steal details from such things as driver’s licenses, health insurance cards or bank cards, to sign up for contracts with QR code payment services or mobile payment services. The criminals are also able to use stolen photos to get money in other ways, such as blackmail or sextortion.”

They added, “We predict these attacks will continue in 2022 because of the strong financial motivation.”

_Check out our free _upcoming live and on-demand online town halls– unique, dynamic discussions with cybersecurity experts and the Threatpost community.