Hijack Router DNS: Distributing Android Banking Trojan

Security researchers have recently been warning about an ongoing malware campaign hijacking routers to distribute Android banking malware that steals users’ sensitive info, login credentials and the secret codes for two-factor authentication (2FA).

To trick victims into installing the Android malware called Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.

DNS hijacking attacks allow hackers to intercept traffic, inject rogue ads on web-pages, and then redirect users to phishing pages designed to fool them into sharing their sensitive info.

Hijacking routers’ DNS for a malicious purpose isn’t new. DNSChanger & Switcher are both malware that work by changing the DNS settings of the wireless routers to redirect traffic to malicious sites controlled by attackers.

Discovered by security researchers at Kaspersky Labs, this new malware campaign has primarily been targeting users in Asiatic countries, including S. Korea, China, Bangladesh, and Japan, since February of this year.

Once modified, the rogue DNS settings configured by hackers redirect the victims to fake versions of legit sites they try to visit and display a pop-up warning message, which reads—”To better experience browsing update to the latest chrome version.”

It then downloads the Roaming Mantis malware application pretending to be a Chrome browser app for Android, which then takes permission to collect device’ account information, manage SMS/MMS as well as making phone calls, recording audio, controlling external storage, checking packages, working with file systems etc.

“This redirection led to the installation of Trojanized apps named facebook.apk & chrome.apk that contained Android Trojan-Banker.”

If installed, the malicious application overlays all other windows immediately to show a false warning message (in broken English, of course), which reads: “Account No exists risks, use after certification.”

Roaming Mantis then starts a local web server on the device and launches the web browser to open a fake version of Google asking users to fill out their names and DOB (date of birth).

To convince users into believing that they are handing over this information to Google itself the fake page displays users’ Gmail email ID configured on their infected Android device. As per the report:

“After the user enters their name and date of birth, the browser is redirected to a blank page at${random_port}/submit,” researchers stated. “Just like the distribution page the malware supports four languages: Korean, Traditional Chinese, Japanese and English.”

Since the Roaming Mantis malware application has already gained permission to read & write SMS on the device, it allows attackers to steal the secret verification code for the two-factor authentication for the victims’ accounts.malware

While analyzing the malware code researchers found reference to popular S. Korean mobile banking and gaming apps and a function that tries to detect if the infected device is rooted.

“For attackers, this may indicate that a device is owned by an advanced Android user (a sign to stop screwing with the device) or, alternatively, a chance to leverage root access to gain access to the whole system,” the researchers concluded.

What is interesting about the malware is that it uses one of the leading Chinese social media websites ( as its command-and-control(C&C) server and sends commands to infected devices just via updating the attacker-controlled user profiles.

According to Kaspersky’s Telemetry data, the Roaming Mantis malware was detected more than six thousand times, though the reports came from only one-hundred-fifty users.

We advise you to ensure your router is running the latest version of the firmware and is protected with a very strong password.

You should also disable router’s remote admin feature and hardcode a trusted DNS server into the OS network settings.

Olé Crypto,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.