Hackers hijack router DNS to distribute Android banking trojan

Researchers have discovered an ongoing malware campaign that is hijacking Internet routers to distribute Android banking malware that steals users’ sensitive information like login credentials and the code for two-factor authentication.
By hijacking DNS settings on vulnerable and poorly secured routers, hackers have managed to trick victims to install an Android malware named Roaming Mantis.
Hackers intercept the traffic, and then they inject rogue ads on web-pages that redirect users to phishing pages.

Hijacking routers’ DNS for a malicious purpose is not new; there are other malware families like DNSChanger and Switcher that have similar purposes.
This new malware campaign affects Asian countries, like South Korea, China Bangladesh, and Japan.
The modified DNS settings redirect victims to a pop-up warning message: “To better experience, the browsing, update to the latest chrome version.”
The Chrome browser app for Android is nothing more than a masquerade, behind it is the Roaming Mantis malware app.

Companies and individual people must take certain precautions against this growing phenomenon; they should implement at least a cybersecurity solution, like an antivirus, to protect their systems. Necessary things like regularly updating operating systems, using antivirus for Windows, an antivirus for Mac, or antivirus for Android, depending on which OS your device is using. Companies must also hire professional cybersecurity firms to do regular checkups to their internal network a couple of times per year. These checkups must always include a penetration test and various ethical hacking test.

Researchers made a malware analysis on Roaming Mantis and found out that it can: take permission of the device’ to collect account information, manage SMS/MMS and make calls, record audio, control external storage, check packages, work with file systems, draw overlay windows and so on.
During the malware analysis, it was found references to popular South Korean mobile banking and gaming applications, as well as a protection measure that tries to detect if the infected device is rooted.
The malware scan for rooted devices because this may indicate that an advanced Android user owns the device and in this case will not go further with the infection.
Roaming Mantis uses one of the leading Chinese social media websites: my.tv.sohu.com as its C&C server.
Until now we have detected the Roaming Mantis malware more than 6,000 times.

We advised you to update your router firmware and protected it with a secure password.
Keep in mind that every phone represents a network entry point or a valuable data bank that must be protected by at least cybersecurity solution like an antivirus. Depending on which OS your device is running, install an antivirus for Windows, an antivirus for Mac, or antivirus for Android for total protection. Companies must take an extra step and hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking test. For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.