Roaming Mantis

Roaming Mantis is an Android malware used to steal user information, obtain credentials for two-factor authentication, and take control of victim’s Android device. The malware has been distributed to victims via DNS hijacking by taking advantage of compromised routers. When a user connects their Android device to an infected router and attempts to access a website, the browser will redirect to a malicious site. The site displays a pop-up message requesting the user to update to the latest browser version. This is a fraudulent update that will download the malware onto the device. Roaming Mantis contains Android Application ID’s for popular apps in South Korea including ones for banking and gaming. Although the malicious apps were originally made for South Korean targets, recent support updates to the malware include Traditional Chinese, English, and Japanese, indicating an increase in targets.

Technical details

  • SecureList has more technical details, here.