A new Android app has been discovered that tricks unsuspecting users (even those with clean devices) into malicious versions of popular websites where they can give away their login details or, worse, their money.
The findings come courtesy of Kaspersky, which discovered that a malicious Android app containing Wroba.o/Agent.eq (aka Moqhao, XLoader) malware was being distributed.
Once downloaded, the app will try to connect to the Wi-Fi router to which your mobile device is connected. To do this, it will try the most common username and password combinations, as well as those known to come with factory settings (such as admin/admin). If successful, it will change the DNS server to a malicious server controlled by the threat actor.
Wandering mantis
This allows malware operators to redirect all users connected to that particular WiFi network, including those without malware, to malicious versions of popular websites.
For example, if an infected endpoint connects to a public Wi-Fi network in a busy coffee shop and changes the DNS server settings on the router, everyone else in that coffee shop who tries to connect to Facebook will actually be redirected to a fake Facebook page. There, they will be asked to enter their login details and if they do, they will end up giving their login details to scammers.
The researchers did not name the distributed apps, but said the APKs were downloaded at least 46,000 times in Japan, Austria, France, Germany, South Korea, Turkey, Malaysia and India. With over 24,000 downloads, Japan is by far the most affected country.
The group behind the apps is allegedly Roaming Mantis. To protect against these types of attacks, the best solution would be to avoid connecting to important accounts on public Wi-Fi networks.
By: ArsTechnica (opens in a new tab)