Beware Of Roaming Mantis Malware Phishing Campaign Preying On Android And iOS Users
Similar to a spyware campaign recently targeting Italian users, the campaign’s kill chain begins with an SMS message sent to phone numbers beginning with France’s +33 country code. The text message tells recipients that a package has been sent that requires review. The message includes a malicious link that directs users to different destinations, depending on certain conditions. If the user’s IP address corresponds to a location outside of France, the user is sent a 404 error, ending the attack prematurely.
If the victim’s phone is running Android, the server redirects the victim to a page that displays an alert and attempts to download an APK file. If the victim runs the APK file and disables the Android safeguards that protect against installing apps from unknown sources, it installs a malicious app that mimics the Chrome browser and asks victims to grant it extensive permissions. The XLoader malware contained within the app connects to the legitimate image hosting service Imgur to retrieve a command-and-control (C2) configuration from a user profile. The malware then steals information from the infected device and uploads it to the C2 server.
Between the phishing attack targeting iOS users and the malware attack targeting Android users, Roaming Mantis is able to gain access to a large range of personal data, as well as remotely interact with victims’ devices. This sensitive data and remote access could later be used to aid in extortion of the victims or associated businesses and institutions.