{
	"id": "6bbda92d-9c7d-41e6-bea5-6dc749541f16",
	"created_at": "2026-04-06T01:31:02.437503Z",
	"updated_at": "2026-04-10T03:34:59.376607Z",
	"deleted_at": null,
	"sha1_hash": "ec0bd701c80a7a3776a628b4952ce6921d75dd97",
	"title": "Roaming Mantis infects smartphones through Wi-Fi routers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 425538,
	"plain_text": "Roaming Mantis infects smartphones through Wi-Fi routers\r\nBy Alex Drozhzhin\r\nPublished: 2018-05-18 · Archived: 2026-04-06 00:57:57 UTC\r\nSome time ago our experts investigated a piece of malware that they dubbed Roaming Mantis. Back then, the\r\npeople affected were mainly users from Japan, Korea, China, India, and Bangladesh, so we didn’t discuss the\r\nmalware in the context of other regions; it seemed to be a local threat.\r\nHowever, in the month since the report was published, Roaming Mantis has added two dozen more languages and\r\nis rapidly spreading around the world.\r\nThe malware uses compromised routers to infect Android-based smartphones and tablets. It then redirects iOS\r\ndevices to a phishing site and runs the CoinHive cryptomining script on desktops and laptops. It does so by means\r\nof DNS hijacking, making it hard for targeted users to detect that something’s amiss.\r\nWhat is DNS hijacking\r\nWhen you enter a site name in your browser address bar, the browser doesn’t actually send a request to that site. It\r\ncan’t; the Internet operates on IP addresses, which are sets of numbers, whereas domain names with words are\r\neasier for people to remember and input.\r\nWhen you enter a URL, your browser sends a request to a DNS-server (DNS is Domain Name System), which\r\ntranslates the human-friendly name into the IP address of the corresponding website. It is this IP address that the\r\nbrowser uses to locate and open the site.\r\nDNS hijacking is a way of fooling the browser into thinking it has matched the domain name to the correct IP\r\naddress when in fact it hasn’t. Although the IP address is wrong, the original URL entered by the user is displayed\r\nin the browser address bar, so nothing looks suspicious.\r\nThere are many DNS-hijacking techniques, but the creators of Roaming Mantis have chosen perhaps the simplest\r\nand most effective: They hijack the settings of compromised routers, forcing them to use their own rogue DNS\r\nservers. That means regardless of what is typed into the browser address bar of a device connected to this router,\r\nthe user is redirected to a malicious site.\r\nRoaming Mantis on Android\r\nAfter the user is redirected to the malicious site, they are prompted to update the browser. That leads to the\r\ndownload of a malicious app named chrome.apk (there was another version as well, named facebook.apk).\r\nhttps://www.kaspersky.com/blog/roaming-mantis-malware/22427/\r\nPage 1 of 6\n\nThe malware requests a bunch of permissions during the installation process, including rights to access account\r\ninformation, send and receive SMS messages, process voice calls, record audio, access files, display its own\r\nwindow on top of others, and so on. For a trusted application such as Google Chrome, the list doesn’t seem too\r\nsuspicious — if the user considers this “browser update” legit, they are sure to grant permissions without even\r\nreading the list.\r\nAfter the application is installed, the malware uses the right to access the list of accounts to find out which Google\r\naccount is used on the device. Next, the user is shown a message (it appears on top of all other open windows,\r\nanother permission the malware requested) saying that something is wrong with their account and that they need\r\nto sign in again. A page then opens and prompts the user to enter their name and date of birth.\r\nhttps://www.kaspersky.com/blog/roaming-mantis-malware/22427/\r\nPage 2 of 6\n\nIt appears that this data, together with the SMS permissions that grant access to the one-time codes needed for\r\ntwo-factor authentication, is then used by the creators of Roaming Mantis to steal Google accounts.\r\nRoaming Mantis: World tour, iOS debut, and mining\r\nIn the beginning, Roaming Mantis could display messages in four languages: English, Korean, Chinese, and\r\nJapanese. But somewhere along the line, its creators decided to expand and add another two dozen languages to\r\ntheir polyglot malware:\r\nArabic\r\nArmenian\r\nBulgarian\r\nBengali\r\nCzech\r\nGeorgian\r\nGerman\r\nHebrew\r\nHindi\r\nIndonesian\r\nItalian\r\nMalay\r\nPolish\r\nPortuguese\r\nhttps://www.kaspersky.com/blog/roaming-mantis-malware/22427/\r\nPage 3 of 6\n\nRussian\r\nSerbo-Croat\r\nSpanish\r\nTagalog\r\nThai\r\nTurkish\r\nUkrainian\r\nVietnamese\r\nWhile they were at it, the creators also improved Roaming Mantis, teaching it to attack devices running iOS. It’s a\r\ndifferent scenario from the Android attacks. On iOS, Roaming Mantis skips downloading the application; instead,\r\nthe malicious site displays a phishing page prompting the user to log back in to the App Store right away. To add\r\ncredibility, the address bar shows the reassuring URL security.apple.com:\r\nThe cybercriminals do not confine their theft to Apple ID credentials; immediately after entering this data, the user\r\nis asked for a bank card number:\r\nhttps://www.kaspersky.com/blog/roaming-mantis-malware/22427/\r\nPage 4 of 6\n\nThe third innovation our experts uncovered concerns desktop computers and laptops. On these devices, Roaming\r\nMantis runs the CoinHive mining script, which mines cryptocurrency and dumps it straight into the pockets of the\r\nmalware makers. The victim’s computer processor is loaded to the max, forcing the system to slow down and\r\nconsume vast amounts of power.\r\nYou can find more details about Roaming Mantis in the original report and a fresh Securelist post with updated\r\ninformation about the malware.\r\nhttps://www.kaspersky.com/blog/roaming-mantis-malware/22427/\r\nPage 5 of 6\n\nHow to protect from Roaming Mantis\r\nUse antivirus protection on all devices: not just computers and laptops, but smartphones and tablets too.\r\nRegularly update all installed software on your devices.\r\nOn Android devices, disable the installation of applications from unknown sources. You’ll find this option\r\nunder Settings -\u003e Security -\u003e Unknown sources.\r\nUpdate your router firmware (check your router’s manual to find out how) as often as possible. Don’t use\r\nunofficial firmware downloaded from shady sites.\r\nAlways change the default administrator password on the router.\r\nWhat to do if infected by Roaming Mantis\r\nKaspersky security products detect and remove Roaming Mantis, so your first step is to install antivirus on all of\r\nyour devices and run a system scan. After you scrub Roaming Mantis from your computers and devices, you’ll\r\nneed to do a bit of cleanup to avoid reinfection:\r\nChange all passwords for accounts compromised by the malware. Cancel all bank cards for which you\r\nentered details on the Roaming Mantis phishing site.\r\nChange the router administrator password and update the firmware. In doing so, be sure to download it\r\nonly from the official website of the router manufacturer.\r\nNavigate to your router’s settings and check the DNS server address. If it doesn’t match the one issued by\r\nyour provider — you can find that on your ISP’s website (check it from a safe system!) or call them to find\r\nout — change it back to the right one.\r\nSource: https://www.kaspersky.com/blog/roaming-mantis-malware/22427/\r\nhttps://www.kaspersky.com/blog/roaming-mantis-malware/22427/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.kaspersky.com/blog/roaming-mantis-malware/22427/"
	],
	"report_names": [
		"22427"
	],
	"threat_actors": [
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439062,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec0bd701c80a7a3776a628b4952ce6921d75dd97.pdf",
		"text": "https://archive.orkl.eu/ec0bd701c80a7a3776a628b4952ce6921d75dd97.txt",
		"img": "https://archive.orkl.eu/ec0bd701c80a7a3776a628b4952ce6921d75dd97.jpg"
	}
}