Meet the Roaming Mantis. No, it’s not a yoga pose. Or Poblacion’s newest speakeasy. It’s likely one of the largest, fastest-growing cybersecurity threats the world is facing today.
The Roaming Mantis was first discovered in April by Kaspersky Lab’s Global Research & Analysis Team (GReAT) APAC Director Vitaly Kamluk. At the time, it was a formidable piece of malware worming its way into Android phones across Asia. Now, it’s expanded to users in Europe and the Middle East. Latest reports claim the Roaming Mantis is now digging into iOS devices as well.
“We’re pretty much looking at cyber criminals who show no traces of stopping anytime soon,” said Suguru Ishimaru, security researcher at GReAT.
Speaking at Kaspersky Lab’s Annual Cyber Security Weekend in Siem Reap, Cambodia, Mr. Ishimaru shared the latest developments in the Roaming Mantis’ global campaign:
It spreads through various means
While the Roaming Mantis has its roots in MoqHao, a related piece of SMS-carried malware that spread through South Korea in July 2017, it has since moved on to hijacking Domain Name Systems (DNS), a protocol that commands how devices on the Internet communicate.
Through the DNS, the malware has been able to target Android smartphones, creeping in through various means, including routers with weak passwords. As soon as malicious actors gain control of the DNS, Mr. Ishimaru says, they control the network.
Other methods include redirecting users to fake sites that request for their private data, and SMS spoofing delivery services that pretend to send messages from legitimate sources. Phishing, essentially.
The malware has also begun targeting iOS devices used for cryptocurrency mining through CoinHive.
It evolves really fast
“[The Roaming Mantis undergoes] rapid change, very fast., Mr. Ishimaru said. “In one day, they can modify one line, next day, two lines and edit new features. They are so active and very aggressive and rapidly improving.”
The Roaming Mantis initially launched with four languages supported, essentially targeting users communicating through those languages. Today, the malware supports 27 languages — including Tagalog. What does this mean?
If the malware supports a particular language, Mr. Ishimaru says, that means the hacker group behind it sees money to be made among those users. With a vast majority of Filipino smartphone owners on the Internet and using Android, there is absolutely every incentive for hackers to support Tagalog.
It’s difficult to measure damages, but the scale is definitely huge.
Mr. Ishimaru confessed that his team has had a difficult time measuring the scale of the Roaming Mantis’ damages. They’ve found that at least 4,000 users have experienced data leaks due to malware installed in their devices. But that doesn’t begin to paint the full picture.
“But they don’t only use malware. They use malware and phishing sites, and mining to get money,” Mr. Ishimaru said. “I can’t imagine how big, but I’m going to say it’s a very big campaign.”
Based on their research, Mr. Ishimaru’s team found that the Roaming Mantis has managed to glean names, addresses, credit card numbers, and bank information from affected users.
Security questions and their answers were intercepted as well, meaning cybercriminals have a chance to regain access to accounts even after passwords are changed.
Cybercriminals are like “mafia or yakuza.”
Recent developments in the Roaming Mantis campaign follow a global trend in cyber threats: Criminals are upscaling their attacks in a major way.
Mr. Ishimaru noted that the criminals behind the Roaming Mantis were strategic, but rapid in how they scaled their operations. “They just supported all platforms,” he said. “That’s it. Any platform that gives access to their server. They host malicious content for each device, each platform.”
As to why there are cyber threats such as Roaming Mantis still being developed by individuals, Kaspersky’s researchers have noted that it is all just for profit.
“Cybercriminals [are] like mafia or yakuza, they have a strong financial motivation,” Mr. Ishimaru said. “They want the money.” While their methods are sophisticating by the day, Mr. Ishimaru noted that at least understanding the group’s motivations provides clues to what may lie in store.
Thankfully, it’s pretty simple to find out if the Roaming Mantis has found its way to your device.
“In my experience and [in the] case in Japan, the first time Roaming Mantis used DNS hijacking — any connection to the bad guy’s server, if you want to connect to Google, [you] cannot. If you want to connect to Yahoo, [you] cannot. If you want to access the bank, you cannot,” Mr. Ishimaru said.
Mr. Ishimaru said the key to keeping safe is a simple rule-of-thumb: Don’t allow third-party apps on your device. He noted that it’s very rare for malware to be found in the Google App store. As an added precaution, any user should have an anti-malware app installed on their device by default.
Home routers, which are not as frequently checked as phones and PCs, should also receive some TLC. Mr. Ishimaru said that IDs and passwords should be frequently changed.
While the Roaming Mantis is up for another update anytime soon, these safety precautions should keep it at bay.
“The intense financial motivation of this group is undoubtedly fueling it to try different attack and evasion tricks to widen its reach in a short period of time,” he said. “In its haste to jump on different platforms, languages, and territories, Roaming Mantis is leaving crumbs of clues that guide us in understanding and predicting its next moves.”
“We will keep monitoring their activity,” Mr. Ishimaru said. “We have to keep watching to save the world.”
As of writing, the Roaming Mantis was found to support the following languages:
- Simplified Chinese
- Traditional Chinese