Roaming Mantis Android malware includes DNS changer for hacking WiFi routers

Image by Midjourney

Roaming Mantis has updated their Android malware with a DNS changer. This modifies DNS settings to spread the virus to other devices.

Researchers discovered that the ‘Roaming mantis’ credential fraud and spread campaign used a new Wroba.o/XLoader Android malware. This malware detects WiFi routers and modifies their DNS based on the model.

This malware creates an HTTP request that hijacks a WiFi router’s DNS settings. It causes connected devices to redirect to malicious websites hosting malware or phishing pages.

discovered the updated Wroba.o/XLoader Android malware. They have been monitoring Roaming Mantis activities for many years. Kaspersky explained that Roaming Mantis uses DNS hijacking from at least 2018. However, the new campaign targets particular routers.

This latest campaign uses the updated malware to target specific WiFi router models primarily in South Korea. The hackers are able to modify it at any time to add routers that are used elsewhere.

This allows threat actors to target specific regions and users more effectively, while still avoiding detection in other situations.

Roaming Mantis campaigns in the past targeted people from Japan, Austria and France as well as Germany, Turkey and Malaysia.

Change the DNS of your router

Roaming Mantis’ latest campaigns employ SMS phishing text (smishing), to redirect targets to malicious websites.

The malicious Android APK will be installed on Android devices. This malware is Wroba.o/XLoader. Instead, the landing page redirects iOS users to a page with phishing that attempts to steal their credentials.

Latest campaign attack diagram


After the XLoader virus is downloaded to the victim’s Android phone, it gets the default gateway IP from the WiFi router. It then attempts to log into the administrator’s web interface with a default password in order to find the model of the victim’s Android device.

XLoader checking the WiFi router model


XLoader has 113 strings that can be hardcoded to identify specific WiFi router models. If there is a match the malware will perform the DNS hijacking step and change the router’s settings.

The malware performs the DNS change on the router


Kaspersky claims that the DNS changer accesses the router using default credentials (admin/admin), and then makes changes to the DNS settings using various methods, depending on which model is being detected.

Roaming Mantis’ DNS server only resolves domain names to landing pages when it is accessed via a mobile device. This could be a covert tactic for security researchers.

Spreading the infection

The router has now modified its DNS settings so that other Android devices can connect to it via WiFi. They will then be directed to the malicious landing page, and asked to download the malware.

The continuous flow of infected devices can further compromise WiFi routers that provide large amounts of internet access for the nation.

Kaspersky cautions against this risk, saying that the Roaming Mentis campaign has a “purposefully unscrambled” feature which allows the malware to spread unchecked.

Even though there is no landing page for U.S. targets and Roaming Mantis does not appear to actively target router models in the country Roaming Mantis’s telemetry indicates that Kaspersky’s telemetry has shown that 10 percent of all XLoader victims reside in the U.S.

By avoiding clicks on SMS links, users can avoid the Roaming Mantis campaign. Even more important, do not install APKs from outside Google Play.