Roaming Mantis

Roaming Mantis is an Android malware used to steal user information, obtain credentials for two-factor authentication, and take control of victim’s Android device. The malware has been distributed to victims via DNS hijacking by taking advantage of compromised routers. When a user connects their Android device to an infected router and attempts to access a website, the browser will redirect to a malicious site. The site displays a pop-up message requesting the user to update to the latest browser version. This is a fraudulent update that will download the malware onto the device. Roaming Mantis contains Android Application ID’s for popular apps in South Korea including ones for banking and gaming. Although the malicious apps were originally made for South Korean targets, recent support updates to the malware include Traditional Chinese, English, and Japanese, indicating an increase in targets.


  • May 2018: Roaming Mantis now supports 27 different languages and expanded its targets to users in Europe and the Middle East. This new version contains a script for the popular cryptocurrency miner Coinhive and the capability to target iOS devices in addition to Android devices. (Securelist)

Technical Details

  • SecureList has more technical details, here.