The Roaming Mantis group is targeting the States with a malware that can steal information, harvest financial data and send texts to self-propagate.
The Wroba mobile banking trojan has made a major pivot, targeting people in the U.S. for the first time.
According to researchers at Kaspersky, a wave of attacks are taking aim at U.S. Android and iPhone users in an effort that started on Thursday. The campaign uses text messages to spread, using fake notifications for “package deliveries” as a lure.
The message inside the SMS contains a link and reads, “Your parcel has been sent out. Please check and accept it,” noted researchers from Kaspersky, in an emailed alert on Friday.
If users click on the link, the next thing that happens depends on which operating system is used by the device. A click takes Android users to a malicious site, which in turn surfaces an alert to users saying that the browser is out-of-date and needs to be updated. If the user clicks ‘OK’, next the downloading of a trojanized browser package with the malicious application begins.
But where Android users are served up the full Wroba download, according to researchers, the executable doesn’t work on iPhone. For iOS users the Wroba operators instead engineer a redirect to a phishing page. The page mimics the Apple ID login page in an effort to harvest credentials from Apple aficionados, but no malware is installed.
Apple had more than half of the total U.S. smartphone market share as of May.
Wroba has been around for years, but previously mainly targeted users in APAC. It was first developed as an Android-specific mobile banking trojan, capable of stealing files related to financial transactions, but has since expanded its functionality. Researchers believe the operator behind Wroba are China-based and known as “Roaming Mantis.”
This latest iteration of Wroba can send SMS messages, check which apps are installed, open web pages, harvest any files related to financial transactions, steal contact lists, call specified numbers and show fake phishing pages to steal victim’s credentials, researchers said.
Once it has infected a device, Wroba uses some of its functionality – stolen contact lists and the SMS capability – to propagate, using infected devices to spread further by sending SMS with malicious links, purporting to come from the host.
“Wroba shows how delivering malware to a device can enable longer-term gain for the attack,” according to Hank Schless, senior manager of security solutions at Lookout, which has been tracking Wroba as well.
“A credential-harvesting link only targets you for one purpose, such as when you receive an SMS saying your bank account has been compromised and the intent is to phishing your banking credentials,” he told Threatpost.
“Wroba, on the other hand, can sit silently in the background and deliver credential harvesting pages to your browser at will,” he said. “As long as it goes unnoticed, it can attempt to grab your login data for even your most private accounts.”
The malware has targeted users worldwide since the start of the year, researchers said, mainly in China, Japan and the Russian Federation.
“The USA is currently not at the top of the list but it seems that cybercriminals are heading to this region and the number of users seeing Wroba will increase,” according to Kaspersky. “The wave was detected on 29th of October and targeted users in different states of USA (judging by the phone numbers that were the targets of this campaign).”
The firm added, “Previously seen campaigns targeted users from APAC, so it is interesting to see how cybercriminals expand their targets.”
In 2018, Wroba saw a major reboot when it began targeting Europe and the Middle East in addition to Asian countries. According to Kaspersky researchers at the time, it also expanded its capabilities to include cryptomining as well as the iOS phishing tactic mentioned previously. At that point, it was spreading via DNS hijacking, which redirected users to a malicious webpage that, as in the current campaign distributed a trojanized application (at that time, it was pretending to be either Facebook or Chrome).
Roaming Mantis has swarmed into the U.S. in the past, it should be noted. This summer, it was spotted trotting out a different SMS phishing campaign that spread the FakeSpy infostealer. The malware, which was disguised as legitimate global postal-service apps, also steals SMS messages, financial data and more from the victims’ devices. It started by going after South Korean and Japanese speakers, but then expanded that targeting to China, Taiwan, France, Switzerland, Germany, the United Kingdom and the United States.
Schless told Threatpost that according to Lookout data, 88 percent of U.S. consumer phishing attacks so far in 2020 were attempts to deliver malware to the mobile device.
To avoid becoming a victim of Wroba, or any other mobile malware, users should employ basic security hygiene, researchers stressed, such as only downloading applications from official stores; disabling the installation of applications from third-party sources in smartphone settings; and avoid clicking on suspicious links from unknown senders, or even suspicious links from known senders.
“People are still grasping to avoid phishing attacks by email,” Ray Kelly, principal security engineer at WhiteHat Security, told Threatpost. “Now, SMS messaging is complicating matters further. SMS should be treated the same as email, never click on links from unknown or suspicious senders.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.