Malware Roaming Mantis Devours Thousands of Devices around the World

The Roaming Mantis malware allows attackers to take control of a victim’s device and steal information.

Triumphantly marching through Germany, Taiwan, South Korea, Japan, the US and the UK, the Roaming Mantis attacked mobile devices in France. Experts suggest that tens of thousands of devices could already be infected.

Let me remind you that we also recently wrote that Operators of the Clipminer Botnet “Earned” More Than $1.7 Million, and also that P2P Botnet Panchan Attacks Linux Servers.

According to experts, Roaming Mantis is a group of financially motivated hackers who started attacking Europeans in February 2022. In the latest malware campaign, attackers are using SMS to lure Android users to a phishing page and force them to download malware. If the victim is using iOS, it is redirected to a page through which cybercriminals steal their Apple ID credentials.

According to a report by SEKOIA researchers, the Roaming Mantis group forces Android users to download the XLoader payload, a powerful malware that allows hackers to remotely access the victim’s device, steal their information and send out SMS spam on their behalf, on their devices.

The current Roaming Mantis campaign is aimed at French users and starts with an SMS message sent to potential victims urging them to go to an embedded URL.

The message refers to a parcel sent by the victim, which needs to be reviewed and arranged for its delivery using a special application.SEKOIA experts say.

If the victim downloads the APK, it launches and mimics a Chrome installation, asking for risky permissions such as reading and sending SMS, making phone calls, reading and writing storage data, getting a list of accounts, and more. After that, the C&C configuration is extracted from the profile on the Imgur site.

If the target is using iOS, they are taken to a phishing page that steals the victim’s Apple ID.

Roaming Mantis attack chain

For users outside of France, the Roaming Mantis servers issue a 404 error and the attack stops.

SEKOIA has confirmed that over 90,000 victims have downloaded XLoader from the attackers’ main C&C server so far. The number of iOS users who gave their Apple ID credentials to hackers is unknown and could be the same or higher.