>
A new Android app has been discovered that tricks unsuspecting users (even those with clean devices) into visiting malicious versions of popular websites, where they can end up giving away their credentials or, worse, money.
The findings come from Kaspersky, which discovered that a malicious Android app containing the Wroba.o/Agent.eq (aka Moqhao, XLoader) malware was being distributed.
Once downloaded, the app will attempt to connect to the Wi-Fi router the mobile device is connected to. To do that, it will try the most common username and password combinations, as well as known factory reset combinations (such as admin/admin). If successful, it turns the DNS server into a malicious server that the threat actor has control over.
Wandering mantis
This allows the operators of the malware to redirect all users connected to that particular Wi-Fi network, including those without the malware, to malicious versions of popular websites.
For example, if a compromised endpoint connects to a public Wi-Fi in a busy cafe and ends up changing the DNS server settings in the router, anyone in that cafe trying to connect to Facebook will actually be redirected to a fake Facebook page. There they are asked to provide their credentials and if they do, they end up giving away their credentials to the crooks.
The researchers did not name the apps being distributed, but said the APKs have been downloaded at least 46,000 times in Japan, Austria, France, Germany, South Korea, Turkey, Malaysia and India. With more than 24,000 downloads, Japan is by far the hardest hit country.
The group behind the apps is said to be Roaming Mantis. To protect against this type of attack, avoid connecting to important accounts on public Wi-Fi networks.
Through: ArsTechnica (opens in new tab)