The campaign’s Android Trojan, called Wroba, aims to steals online banking credentials, as it had done in previous attacks. However, researchers say that it can now also access and steal photos and videos from devices. This could allow cybercriminals to carry out more nefarious activities, like blackmail or sextortion.
Roaming Mantis Uses Fake Package Shipping Texts
Researchers at Kaspersky have observed the Roaming Mantis campaign since 2018. The campaign steals banking credentials and distributes malware. Its early attacks targeted victims in Japan, Taiwan, and Korea. The researchers said that France, Japan, India, China, Germany, and Korea were the most affected countries, between July 2021 and January 2022. The most recent campaign attacks smartphone users in Germany and France with smishing messages. A potential victim receives a warning message concerning a shipped package, as well as a URL. If activated on an Apple device, the URL redirects the user to a phishing website. This site will attempt to steal the user’s Apple login information. On the other hand, if clicked on by an Android user, the URL sends them to a landing page that prompts them to install a disguised malicious application.
Latest Campaign Contains New Backdoor Commands
The cybercriminals leveraging Roaming Mantis have gone to great lengths to avoid detection. Between 2020 and 2021, the criminals used a number of obfuscation techniques in their landing page script. Furthermore, the landing page does not allow connections from IP addresses in non-target regions. For those, it displays a fake “404” page. Regarding the latest campaign, researchers found additional backdoor commands that give the malware new capabilities. Specifically, the commands allow cybercriminals to steal photos and videos from their victims. This is what Kaspersky’s researchers had to say: “These new backdoor commands are added to steal galleries and photos from infected devices. This suggests the criminals have two aims in mind. One possible scenario is that the criminals steal details from such things as driver’s licenses, health insurance cards or bank cards, to sign up for contracts with QR code payment services or mobile payment services. The criminals are also able to use stolen photos to get money in other ways, such as blackmail or sextortion.”
Protect Yourself From Malicious SMS Campaigns
Kaspersky’s researchers believe the campaign will continue this year due to “the strong financial motivation.” With that in mind, it is crucial to keep yourself safe from potential attacks. For starters, it is a good idea to approach any SMS containing a URL with caution. Also, avoid downloading APKs from outside the authorized app store. If you found this story interesting, check out our articles on Trojans and phishing so you can protect yourself from malicious attacks.