A new Android app has been found that tricks unsuspecting users (even those with clean devices) into visiting malicious versions of popular websites, where they may end up giving up their login credentials, or even money.
The findings come from Kaspersky, which found a malicious Android app with distributed Wroba.o/Agent.eq (aka Moqhao, XLoader).
When the app is downloaded, it will attempt to connect to the Wi-Fi router that the mobile device is connected to. To do this, it will try to use the most common username / password combinations, as well as the well-known ones that came with the factory settings (eg admin / admin). If successful, it will change the DNS server to a malicious one controlled by the threat actor.
Praying mantis roaming
This allows malware operators to redirect all users connected to the selected Wi-Fi network, including those without malware, to malicious versions of popular websites.
For example, if a compromised endpoint connects to public Wi-Fi at a crowded coffee shop, and ends up changing the router’s DNS server settings, everyone else in that coffee shop trying to connect to Facebook will actually be redirected to a fake Facebook page. There, they will be asked to provide their login information, and if they do, they will end up giving away their login credentials to scammers.
The researchers did not name the apps being distributed, but said that the APK files had been downloaded at least 46,000 times across Japan, Austria, France, Germany, South Korea, Turkey, Malaysia and India. With over 24,000 downloads, Japan is by far the worst affected country.
The group behind the apps is allegedly Roaming Mantis. To protect against this type of attack, the best course of action would be to avoid connecting to important accounts on public Wi-Fi networks.
Via: ArsTechnica (Opens in a new tab)