{ "id": "01438b7e-cadd-412a-b528-015e3cfbea9e", "created_at": "2026-04-06T00:19:57.033777Z", "updated_at": "2026-04-10T03:34:59.371775Z", "deleted_at": null, "sha1_hash": "11ebead41a810ad5744ff343605fa07309b3fffe", "title": "Roaming Mantis reaches Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2878676, "plain_text": "Roaming Mantis reaches Europe\r\nBy Suguru Ishimaru\r\nPublished: 2022-02-07 · Archived: 2026-04-05 15:30:50 UTC\r\nRoaming Mantis is a malicious campaign that targets Android devices and spreads mobile malware via smishing.\r\nWe have been tracking Roaming Mantis since 2018, and published five blog posts about this campaign:\r\nRoaming Mantis uses DNS hijacking to infect Android smartphones\r\nRoaming Mantis dabbles in mining and phishing multilingually\r\nRoaming Mantis, part III\r\nRoaming Mantis, part IV\r\nRoaming Mantis, part V\r\nIt’s been a while since the last blog post, but we’ve observed some new activities by Roaming Mantis in 2021, and\r\nsome changes in the Android Trojan Wroba.g (or Wroba.o, a.k.a Moqhao, XLoader) that’s mainly used in this\r\ncampaign. Furthermore, we discovered that France and Germany were added as primary targets of Roaming\r\nMantis, in addition to Japan, Taiwan and Korea.\r\nGeography of Roaming Mantis victims\r\nOur latest research into Roaming Mantis shows that the actor is focusing on expanding infection via smishing to\r\nusers in Europe. The campaign in France and Germany was so active that it came to the attention of the German\r\npolice and French media. They alerted users about smishing messages and the compromised websites used as\r\nlanding pages.\r\nhttps://securelist.com/roaming-mantis-reaches-europe/105596/\r\nPage 1 of 9\n\nSmishing alerts on German and French websites\r\nTypically, the smishing messages contain a very short description and a URL to a landing page. If a user clicks on\r\nthe link and opens the landing page, there are two scenarios: iOS users are redirected to a phishing page imitating\r\nthe official Apple website, while the Wroba malware is downloaded on Android devices.\r\nLink from smishing message redirects to Wroba or phishing page\r\nhttps://securelist.com/roaming-mantis-reaches-europe/105596/\r\nPage 2 of 9\n\nBased on the telemetry we gathered between July 2021 and January 2022, Wroba.g and Wroba.o have been\r\ndetected in many regions. The most affected countries were France, Japan, India, China, Germany and Korea.\r\nTerritories affected by Trojan-Dropper.AndroidOS.Wroba.g and Trojan-Dropper.AndroidOS.Wroba.o (download)\r\nWe’d also like to point out some very interesting data on Roaming Mantis landing page statistics published on\r\nInternet Week 2021 and Github by @ninoseki, an independent security expert based in Japan. The data shows the\r\nnumber of downloaded APK files, landing page domains, and IP addresses located in the seven regions targeted\r\nmost by Roaming Mantis using Wroba.g/Wroba.o on a particular day in September 2021.\r\nhttps://securelist.com/roaming-mantis-reaches-europe/105596/\r\nPage 3 of 9\n\nThe number of downloaded APK files and IPs/domains of landing pages\r\nThe following table is a ranking based on the number of APK file downloads. The most affected country is France,\r\nfollowed by Japan, Germany and others. Some targeted regions seem to overlap with our telemetry mentioned\r\nabove.\r\nRegion\r\nNumber of\r\nImpersonated brand\r\nIPs domains downloads\r\n1 France 5 1,246 66,789 Google Chrome\r\n2 Japan 4 539 22,254 Yamato transport\r\n3 Germany 1 162 2,681 Google Chrome\r\n4 Korea 2 8 2,564 ePOST\r\n5 United States 5 123 549 Google Chrome\r\n6 Taiwan 1 62 302 智能宅急便 (Yamato transport in Chinese)\r\n7 Turkey 3 5 27 Google Chrome\r\nAnti-researcher tricks in the landing page\r\nThroughout 2020 and 2021, the criminal group behind Roaming Mantis made use of various obfuscation\r\ntechniques in the landing page script in order to evade detection.\r\nhttps://securelist.com/roaming-mantis-reaches-europe/105596/\r\nPage 4 of 9\n\nVariety of obfuscation techniques in the landing page script\r\nIn addition to obfuscation, the landing page blocks the connection from the source IP address in non-targeted\r\nregions and shows just a fake “404” page for these connections.\r\nThe user agent checking feature has not been changed in the landing page since 2019; it evaluates the devices by\r\nuser agent, redirecting to the phishing page if the device is iOS-based, or delivering the malicious APK file if the\r\ndevice is Android-based.\r\nTechnical analysis: loader module of Wroba.g/Wroba.o\r\nWe performed in-depth analysis of Wroba.g/Wroba.o samples and observed several modifications in the loader\r\nmodule and payload, using kuronekoyamato.apk as an example. First, the actor changed the programming\r\nlanguage from Java to Kotlin, a programming language designed to interoperate fully with Java. Then, the actor\r\nremoved the multidex obfuscation trick. Instead of this, the data structure of the embedded payload\r\n(assetsrmocpdx15k7a5q) was also modified as follows:\r\nhttps://securelist.com/roaming-mantis-reaches-europe/105596/\r\nPage 5 of 9\n\nModified data structure of embedded payload\r\nThe first eight bytes of the data are junk code (gray), followed by the size of payload (orange), a single-byte XOR\r\nkey (red), the encrypted payload (green) and more junk code (gray). Furthermore, an ELF file, libarmeaib-v7alibdf.so, was embedded in the APK file: it uses Java Native Interface (JNI) for the second stage payload, for\r\ndecryption and also part of the loading feature. The decryption process and algorithms are just three steps as\r\nfollows:\r\nVarious obfuscation techniques in the landing page script\r\nFirst, the loader function takes each section of data from the embedded data, except the junk data. Then, the\r\nencrypted payload is XORed using the embedded XOR key. After the XOR operation, as with previous samples,\r\nthe data is decompressed using zlib to extract the payload, a Dalvik Executable (DEX) file.\r\nThe following simple Python script helps to extract the payload:\r\n#!/usr/bin/env python3\r\nimport sys\r\nimport zlib\r\nimport base64\r\ndata = open(sys.argv[1], \"rb\").read()\r\nkey = data[11]\r\nsize = data[10] | data[9] \u003c\u003c 8 | data[8] \u003c\u003c 16\r\nenc = data[12:12+size]\r\nhttps://securelist.com/roaming-mantis-reaches-europe/105596/\r\nPage 6 of 9\n\ndec_x = bytes(enc[i] ^ key for i in range(len(enc)))\r\ndec_z = zlib.decompress(dec_x)\r\nwith open(sys.argv[1]+\".dec\",\"wb\") as fp:\r\n   fp.write(dec_z)\r\nIn this sample, the decrypted payload is saved as datadataggk.onulfc.jb.utxdtt.bkfilesd and executed to infect the\r\nmalicious main module on victim devices.\r\nTechnical analysis: payload of Wroba.g/Wroba.o\r\nRegarding the updates to the Wroba.g/Wroba.o payload, Kaspersky experts only observed two minor updates in\r\nthe payload part. One of them is the feature for checking the region of the infected device in order to display a\r\nphishing page in the corresponding language. In the old sample, it checked for three regions: Hong Kong, Taiwan\r\nand Japan. However, Germany and France were added as new regions. From this update, together with the map\r\nabove, it is clear that Germany and France have become the main targets of Roaming Mantis with\r\nWroba.g/Wroba.o.\r\nAnother modification is in the backdoor commands. The developer added two backdoor commands, “get_photo”\r\nand “get_gallery”, as well as removing the command “show_fs_float_window”. Overall, there are 21 embedded\r\nbackdoor commands.\r\nhttps://securelist.com/roaming-mantis-reaches-europe/105596/\r\nPage 7 of 9\n\nList of embedded backdoor commands with the two new commands ‘get_gallery’ and ‘get_photo’\r\nThese new backdoor commands are added to steal galleries and photos from infected devices. This suggests the\r\ncriminals have two aims in mind. One possible scenario is that the criminals steal details from such things as\r\ndriver’s licenses, health insurance cards or bank cards, to sign up for contracts with QR code payment services or\r\nmobile payment services. The criminals are also able to use stolen photos to get money in other ways, such as\r\nblackmail or sextortion. The other functions of the payload are unchanged. For more details, please see our\r\nprevious blogposts mentioned above.\r\nConclusion\r\nIt has been almost four years since Kaspersky first observed the Roaming Mantis campaign. Since then, the\r\ncriminal group has continued its attack activities by using various malware families such as HEUR:Trojan-Dropper.AndroidOS.Wroba, and various attack methods such as phishing, mining, smishing and DNS poisoning.\r\nIn addition, the group has now expanded its geography, adding two European countries to its main target regions.\r\nWe predict these attacks will continue in 2022 because of the strong financial motivation.\r\nMD5 hashes of Wroba.o\r\n527b5eebb6dbd3d0b777c714e707659c\r\n19c4be7d5d8bf759771f35dec45f267a\r\n2942ca2996a80ab807be08e7120c2556\r\n4fbc28088b9bf82dcb3bf42fe1fc1f6d\r\nhttps://securelist.com/roaming-mantis-reaches-europe/105596/\r\nPage 8 of 9\n\n0aaf6aa859fbdb84de20bf4bf28a02f1\r\n5bafe0e5a96b1a0db291cf9d57aab0bc\r\nddd131d7f0918ece86cc7a68cbacb37d\r\nSource: https://securelist.com/roaming-mantis-reaches-europe/105596/\r\nhttps://securelist.com/roaming-mantis-reaches-europe/105596/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/roaming-mantis-reaches-europe/105596/" ], "report_names": [ "105596" ], "threat_actors": [ { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434797, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11ebead41a810ad5744ff343605fa07309b3fffe.pdf", "text": "https://archive.orkl.eu/11ebead41a810ad5744ff343605fa07309b3fffe.txt", "img": "https://archive.orkl.eu/11ebead41a810ad5744ff343605fa07309b3fffe.jpg" } }