Roaming Mantis malware evolve to preys on PC, Android and iOS users

Share this…

Recently, researchers unveiled a DNS hijacking campaign that was found to spread malware from banking Trojans to Android smartphone users mostly in Asia, which has now extended its reach to iOS and PC users.

Mantis Roaming malware now targets IOS devices for phishing attacks. A publication of Kaspersky Lab in April, gave details about the Mantis Roaming malware that performs targeted operations to hijack Android devices. The information security experts said that the malware is evolving and its objective is to capture confidential data of the user infecting.


“The landing pages and apk files now support 27 languages covering Europe and the Middle East, and malicious actors added an option for phishing to iOS devices and cryptography capabilities for PCs,” says Kaspersky’s Lab publication.

Now, you can perform various functionalities, as they are; the extraction of cryptocurrencies and the phishing of iOS devices; is also capable of targeting Android devices to steal information. Suguru Ishimaru, a Kaspersky Lab researcher, said the company also analyzed the previous Campaign Roaming Mantis and the findings were detailed in his blog.

It expanded to 27 different languages, including English, Hindi, Russian, Chinese and Hebrew. Initially, the malware was distributed in only five languages, but now the range is widened using an automatic translator, information security experts commented.

mantis 1

Experts explain that it was designed to be distributed through DNS hijacking, for now, this malware is more active in Asian regions, such as; Bangladesh, India, Japan and South Korea. Although, there are reports of the malware targeting devices in the Middle East and Europe.

According to information security experts, Roaming Mantis, works by redirecting victims to a malicious web page through the hijacking of DNS while the page is distributed through a fake Facebook or Chrome application (‘facebook.apk’ or ‘ chrome.apk ‘). This application contains an Android Trojan-Banker, and must be installed manually by the victim. The professionals also noted that the comments are published in simplified Chinese.

To hijack iOS devices, a page that mimics Apple’s official website that claims to be ‘’ is distributed. Upon entering the page, you are required to provide user ID, passwords, CVV, card expiration and card number. This site supports 25 languages.

The information security researchers say that Roaming Mantis is able to steal private and confidential data from Apple and Android mobile phones, and that cryptocurrency mining is done in the inclusion of a script in the HTML source code of the malware, which runs every time open the browser.

mantis 2

A Coinhive Javascript miner runs to exploit the device’s CPU and extract the Monero cryptocurrency. The professionals also commented that the cryptocurrency mining of Mantis Roaming is quite subtle. Since most users may not realize that the resources of their device are being used.

So far, more than 150 successful attacks have been observed, but this could represent only a small fraction of the overall picture, since DNS hijacking is quite difficult to identify.