{
	"id": "86c7dcf2-48ad-493a-9f46-c279b5fb4640",
	"created_at": "2026-04-06T00:21:48.261085Z",
	"updated_at": "2026-04-10T13:12:44.612695Z",
	"deleted_at": null,
	"sha1_hash": "f2f7eb6445d87c3a5e7ec907d0e2a6faee3827ef",
	"title": "Roaming Mantis uses DNS hijacking to infect Android smartphones",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1849336,
	"plain_text": "Roaming Mantis uses DNS hijacking to infect Android\r\nsmartphones\r\nBy Suguru Ishimaru\r\nPublished: 2018-04-16 · Archived: 2026-04-05 19:08:26 UTC\r\nIn March 2018, Japanese media reported the hijacking of DNS settings on routers located in Japan, redirecting\r\nusers to malicious IP addresses. The redirection led to the installation of Trojanized applications named\r\nfacebook.apk and chrome.apk that contained Android Trojan-Banker. According to our telemetry data, this\r\nmalware was detected more than 6,000 times, though the reports came from just 150 unique users (from February\r\n9 to April 9, 2018). Of course, this is down to the nature of the malware distribution, but it also suggests a very\r\npainful experience for some users, who saw the same malware appear again and again in their network. More than\r\nhalf of the detections were observed targeting the Asian region.\r\nDuring our research we received some invaluable information about the true scale of this attack. There were\r\nthousands of daily connections to the command and control (C2) infrastructure, with the device locale for the\r\nmajority of victims set to Korean. Since we didn’t find a pre-existing name for this malware operation, we decided\r\nto assign a new one for future reference. Based on its propagation via smartphones roaming between Wi-Fi\r\nnetworks, potentially carrying and spreading the infection, we decided to call it ‘Roaming Mantis’.\r\nDistribution\r\nRoaming Mantis malware is designed for distribution through a simple, but very efficient trick based on a\r\ntechnique known as DNS hijacking. When a user attempts to access any website via a compromised router, they\r\nwill be redirected to a malicious website. For example, if a user were to navigate to securelist.com using a web\r\nbrowser, the browser would be redirected to a rogue server which has nothing to do with the security research\r\nblog. As long as the browser displays the original URL, users are likely to believe the website is genuine. The web\r\npage from the rogue server displays the popup message (screenshot below): “To better experience the browsing,\r\nupdate to the latest chrome version.”\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 1 of 14\n\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 2 of 14\n\nLooking at the HTML source of the malicious webpage, it seems to support five locales: Korean, Traditional\r\nChinese, Simplified Chinese, Japanese and English.\r\nHowever, after carefully studying the HTML source, we found that the actual number of target locales is only\r\nfour: Korean, Simplified Chinese, Japanese and English, based on Android devices. As shown in the image above,\r\nthe HTML code contains an identical message in Traditional Chinese and Simplified Chinese. Also, the HTML\r\nsource contains several short code comments in Simplified Chinese.\r\nAnalyzing chrome.apk\r\nOne of the applications pushed to users impersonated a Chrome browser for Android. Kaspersky Lab got a copy\r\nof chrome.apk (md5:f3ca571b2d1f0ecff371fb82119d1afe) in April 2018. The Android application package\r\nstructure is as follows:\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 3 of 14\n\nThe package contains classes.dex, which is a Dalvik VM executable file. Its main purpose is to read the file named\r\n/assets/db. It decodes the data inside with a Base64 decoder and produces another Dalvik VM executable named\r\ntest.dex:\r\nThe extracted test.dex contains the main malicious payload, which is described in more detail below. The Base64\r\nencoding technique is probably used to bypass trivial signature-based detection.\r\nAndroidManifest.xml contains one of the key components of the package – the permissions requested by the\r\napplication from the device owner during installation.\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 4 of 14\n\nFrom the xml above, it seems that Roaming Mantis requests permission to be notified when the device is booted,\r\nusing the internet, collecting account information, managing SMS/MMS and making calls, recording audio,\r\ncontrolling external storage, checking packages, working with file systems, drawing overlay windows and so on.\r\nAll these requests are of course backed up by malicious functionality implemented in test.dex.\r\nFor instance, after installation, the malware overlays all other windows with one carrying a message in broken\r\nEnglish: “Account No.exists risks, use after certification”. After that, the malware starts its own webserver on the\r\ndevice, and renders a page spoofing Google’s authentication on 127.0.0.1.\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 5 of 14\n\nThe page uses a Google account name obtained from the infected device and asks the owner to complete two input\r\nboxes with ‘Name:’ and ‘Date of birth:’, which would facilitate access to the user account. After the user enters\r\ntheir name and date of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit.\r\nWhile analyzing the extracted test.dex, we found an interesting piece of code.\r\nJust like the distribution page, the malware supports four locales: Korean, Traditional Chinese, Japanese and\r\nEnglish. The code above was taken from an original Google authentication page intended for an English\r\nenvironment, though we aren’t sure why the three Korean strings appear here. The English translations are as\r\nfollows:\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 6 of 14\n\nI have an anomaly on my Google account. For voice verification, enter your verification number to verify\r\nyour Google account. //구글 계정이 이상이 있습니다.음성검증을 들어 인증번호를 입력하여 구글 계\r\n정을 검증하도록합니다.\r\nVerification Number. //인증번호\r\nPlease enter your verification number. //인증번호를 입력하세요\r\nJudging by these strings, it’s clear that the criminals behind the malware are trying to get a verification code for\r\ntwo-factor authentication. There may be a bug or design fault that causes Korean strings to be displayed not just\r\nfor Korean users but also for those using Japanese and English. Traditional Chinese users will see strings in\r\nTraditional Chinese. The authors could have overlooked this in the rush to launch the campaign, but it reveals a\r\ncertain bias by the authors towards Korean and Traditional Chinese.\r\nPermission to receive/read/write/send SMS/MMS and record audio could also allow the malware operators to\r\nsteal a verification code for the two-factor authentication function.\r\nSecondly, this malware contains references to Android application IDs popular in South Korea and mostly linked\r\nto mobile banking and games.\r\nThe following hardcoded strings were extracted from the malware:\r\nwooribank.pib.smart\r\nkbstar.kbbank\r\nibk.neobanking\r\nsc.danb.scbankapp\r\nshinhan.sbanking\r\nhanabank.ebk.channel.android.hananbank\r\nsmart\r\nepost.psf.sdsi\r\nkftc.kjbsmb\r\nsmg.spbs\r\nwebzen.muorigin.google\r\nncsoft.lineagem19\r\nncsoft.lineagem\r\nco.neople.neopleotp\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 7 of 14\n\nco.happymoney.android.happymoney\r\nnexon.axe\r\nnexon.nxplay\r\natsolution.android.uotp2\r\nAnother piece of code verifies the presence of the su binary in /system/bin/, /system/xbin/, /system/sbin/, sbin/ or\r\n/vendor/bin/ on a device.\r\nRegular Android devices do not have the su binary. Its presence means the device is probably rooted. For attackers\r\nthis may indicate that a device is owned by an advanced Android user (a signal to stop messing with the device)\r\nor, alternatively, a chance to leverage root access to gain access to the whole system.\r\nC2 communication\r\nKaspersky Lab discovered a hardcoded URL template (http://my.tv.sohu.com/user/%s) in the malicious\r\napplication used for malware control. The site my.tv.sohu.com is legitimate; however, some content on the user\r\nprofile pages is controlled by the owners of the profiles.\r\nA list of account IDs separated by the “|” character were included in the malware:\r\n“329505231|329505325|329505338”.\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 8 of 14\n\nAfter getting the content from the sohu.com webpage, the malware extracts a Chinese string from a specific part\nof the HTML code.\nFor example, the malicious application receives the page at http://my.tv.sohu.com/user/329505338.\nAfter that, it uses the hardcoded regular expression “\n\n([\\u4e00-\\u9fa5]+?)\n\n\\s+” to extract a Chinese\nstring located in a very distinct place on the web page. Next, each character is decoded by subtracting 0x4E00,\ndoing a right bitwise shift operation for 3 bits and xoring using the word “beg” as the key.\nThe result is the real C2 address, which the malware connects to by using a web socket. We traced this activity in\nthe debug log of an infected device.\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\nPage 9 of 14\n\nIn another recent sample (MD5:4d9a7e425f8c8b02d598ef0a0a776a58), the connection protocol, including a\nhardcoded legitimate website, accounts and the regular expression for retrieving next level C2, had been changed:\nMD5 f3ca571b2d1f0ecff371fb82119d1afe 4d9a7e425f8c8b02d598ef0a0a776a58\nDate March 29 2018 April 7 2018\nLegitimate web http://my.tv.sohu[.]com/user/%s https://www.baidu[.]com/p/%s/detail\naccount_IDs\n● 329505231\n● 329505325\n● 329505338\n● haoxingfu88\n● haoxingfu12389\n● wokaixin158998\npattern “\n\n([\\u4e00-\\u9fa5]+?)\n\n\\s+” “公司([\\\\u4e00-\\\\u9fa5]+?)\u003c“\nEncrypted dex \\assets\\db \\assets\\data.sql\nEncoding Base64 Base64 + zlib compression\nIn addition, the \\assets\\db file name was changed to \\assets\\data.sql and it’s encoding algorithm have also been\nchanged from Base64 to Base64+zlib. The malware author seems to be updating the code quite regularly.\nResearchers wishing to track Roaming Mantis campaign can use the following simplified python script to decode\nthe real C2 server.\n#!/usr/bin/env python\n# -*- coding: utf-8 -*-\nimport sys\nimport re\npage = open(sys.argv[1],\"rb\").read()\n#pattern = u'\u003cp\u003e([\\u4e00-\\u9fa5]+?)\u003c/p\u003e\\s+\u003c/div\u003e' # my.tv.sohu.com\npattern = u'公司\u003c/span\u003e([\\u4e00-\\u9fa5]+?)\u003c' # baidu.com\nmatch = re.search(pattern, page.decode(\"utf-8\"))\next = match.group(1)\ndec = ''\nj = 0\nfor i in range(len(ext)):\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\nPage 10 of 14\n\ndec = dec + chr((ord(ext[i]) - 0x4e00) \u0026gt;\u0026gt; 3 ^ ord('beg'[j]))\r\nj = (j+1) %3\r\nprint(dec)\r\nAn example of script input and output:\r\n$ python dec_facebook_apk.py my.tv.sohu.com_329505338.html\r\n220.136.76[.]200:8844\r\n$ python dec_facebook_apk.py www.baidu.com_p_wokaixin158998_detail.html\r\n220.136.179[.]5:28833\r\nMost interestingly, the malware is embedded with a new feature that communicates with the C2 via email\r\nprotocols. The data sent contains language, phone number, access information, and the result of a PING test to the\r\nC2.\r\nMalware detection statistics\r\nKaspersky Lab products detect Roaming Mantis’s malicious apk file as Trojan-Banker.AndroidOS.Wroba. Based\r\non the verdict, we checked the statistics from Kaspersky Security Network (KSN) for the two months from\r\nFebruary 9 to April 9, 2018.\r\nThere were more than 6,000 detections coming from just over 150 unique users. The most affected countries were\r\nSouth Korea, Bangladesh and Japan. Based on the design of the malware and our detection statistics, this malware\r\nwas designed to be spread mainly in Asian countries. While Kaspersky Lab products may only see a limited\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 11 of 14\n\nnumber of infections, based on further analysis of the C2 infrastructure we saw roughly 3,000 connections to C2\r\ninfrastructure per day, which suggests a much larger scale for this Android malware campaign. Upon every\r\nconnection the malware sends information about compromised devices to the C2, including system locale, which\r\nindicates the possible origins of the victims. 98% of affected devices appear to have the Korean locale set.\r\nWe have done some calculations and built the following chart based on observed locales:\r\nThe breakdown of the remaining 2% reveals a few more system locales: en_GB, en_US, zh_CN, ja_JP and others.\r\nAs usual in such cases, Kaspersky Lab has got in touch with local CERTs (South Korea being the first) to provide\r\ninformation about the victims to help unsuspecting users remove the malware and prevent further reinfections.\r\nConclusions\r\nKaspersky Lab observed Roaming Mantis’ Android application being distributed via a DNS hijacking technique\r\nwith the help of compromised routers. The malware aims to steal user information, including credentials for two-factor authentication, and give the attackers full control over compromised Android devices.\r\nAt the moment, clues appear to suggest a financial motive and low OPSEC for this attack, which is why we think\r\nit is likely to be the work of cybercriminal hackers.\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 12 of 14\n\nOur research revealed that the malware contains Android application IDs for popular mobile banking and game\r\napplications in South Korea. The malware is most prevalent in South Korea, and Korean is the first language\r\ntargeted in HTML and test.dex. Based on our findings, it appears the malicious app was originally distributed to\r\nSouth Korean targets. Support was then added for Traditional Chinese, English and Japanese, broadening its target\r\nbase in the Asian region.\r\nHowever, it’s still unclear how the attackers hijacked the router DNS settings. If you have any concerns about the\r\nDNS settings on your router, please check the user manual and verify that your DNS settings haven’t been\r\ntampered with, or contact your ISP for support. Kaspersky Lab also strongly recommends changing the default\r\nlogin and password for the admin web interface of their router, never install firmware from third-party sources and\r\nregularly update router firmware to prevent similar attacks in the future.\r\nBased on our investigation, the Roaming Mantis attackers left some additional clues. For example, some\r\ncomments in the HTML source, malware strings and a hardcoded legitimate website point to Simplified Chinese.\r\nTherefore, we believe the cybercriminals are familiar with both Simplified Chinese and Korean.\r\nThe malicious threat actor behind this campaign remains very active and the malware is updated every day. We\r\nwill keep tracking this campaign to protect our customers and update our readers with new information.\r\nKaspersky Lab products detect this malware with the following verdict(s):\r\nHEUR:Trojan-Banker.AndroidOS.Wroba\r\nIOC\r\nMalicious hosts:\r\n114.44.37[.]112\r\n118.166.1[.]124\r\n118.168.193[.]123\r\n128.14.50[.]146\r\n128.14.50[.]147\r\n220.136.111[.]66\r\n220.136.179[.]5\r\n220.136.76[.]200\r\n43.240.14[.]44\r\nhaoxingfu01.ddns[.]net\r\nshaoye11.hopto[.]org\r\nMalicious apks:\r\n03108e7f426416b0eaca9132f082d568\r\n1cc88a79424091121a83d58b6886ea7a\r\n2a1da7e17edaefc0468dbf25a0f60390\r\n31e61e52d38f19cf3958df2239fba1a7\r\n34efc3ebf51a6511c0d12cce7592db73\r\n4d9a7e425f8c8b02d598ef0a0a776a58\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 13 of 14\n\n808b186ddfa5e62ee882d5bdb94cc6e2\r\n904b4d615c05952bcf58f35acadee5c1\r\na21322b2416fce17a1877542d16929d5\r\nb84b0d5f128a8e0621733a6f3b412e19\r\nbd90279ad5c5a813bc34c06093665e55\r\nff163a92f2622f2b8330a5730d3d636c\r\nclass.dex:\r\n19e3daf40460aea22962d98de4bc32d2\r\n36b2609a98aa39c730c2f5b49097d0ad\r\n3ba4882dbf2dd6bd4fc0f54ec1373f4c\r\n6cac4c9eda750a69e435c801a7ca7b8d\r\n8a4ed9c4a66d7ccb3d155f85383ea3b3\r\nb43335b043212355619fd827b01be9a0\r\nb7afa4b2dafb57886fc47a1355824199\r\nf89214bfa4b4ac9000087e4253e7f754\r\ntest.dex:\r\n1bd7815bece1b54b7728b8dd16f1d3a9\r\n307d2780185ba2b8c5ad4c9256407504\r\n3e4bff0e8ed962f3c420692a35d2e503\r\n57abbe642b85fa00b1f76f62acad4d3b\r\n6e1926d548ffac0f6cedfb4a4f49196e\r\n7714321baf6a54b09baa6a777b9742ef\r\n7aa46b4d67c3ab07caa53e8d8df3005c\r\na0f88c77b183da227b9902968862c2b9\r\nSource: https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nhttps://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/"
	],
	"report_names": [
		"85178"
	],
	"threat_actors": [
		{
			"id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a",
			"created_at": "2023-01-06T13:46:38.823793Z",
			"updated_at": "2026-04-10T02:00:03.113045Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group"
			],
			"source_name": "MISPGALAXY:Roaming Mantis",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3",
			"created_at": "2022-10-25T16:07:24.546437Z",
			"updated_at": "2026-04-10T02:00:05.029564Z",
			"deleted_at": null,
			"main_name": "Roaming Mantis",
			"aliases": [
				"Roaming Mantis Group",
				"Shaoye"
			],
			"source_name": "ETDA:Roaming Mantis",
			"tools": [
				"MoqHao",
				"Roaming Mantis",
				"SmsSpy",
				"Wroba",
				"XLoader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434908,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2f7eb6445d87c3a5e7ec907d0e2a6faee3827ef.pdf",
		"text": "https://archive.orkl.eu/f2f7eb6445d87c3a5e7ec907d0e2a6faee3827ef.txt",
		"img": "https://archive.orkl.eu/f2f7eb6445d87c3a5e7ec907d0e2a6faee3827ef.jpg"
	}
}