Crooks Hijack Router DNS Settings to Redirect Users to Android Malware

[Faybert]

Content source

https://www.bleepingcomputer.com/news/security/crooks-hijack-router-dns-settings-to-redirect-users-to-android-malware/

Malware authors have hijacked DNS settings on vulnerable routers to redirect users to sites hosting Android malware.

According to Kaspersky Labs telemetry data, these were small-scale attacks, as crooks only hijacked traffic from just 150 unique IP addresses, redirecting users to malicious sites around 6,000 times between February 9 and April 9, 2018.

But while researchers weren't able to determine how crooks managed to gain access to home routers to change DNS settings, they were able to get their hands on a sample of the Android malware used in these attacks —an unique strain they named Roaming Mantis.
Crooks hid malware in Chrome and Facebook clones

For these attacks, crooks redirected users to pages peddling clones of Android apps like Google Chrome for Android (chrome.apk) and Facebook (facebook.apk).

Both the websites hosting the fake apps and the apps themselves were available in five languages —Korean, Traditional Chinese, Simplified Chinese, Japanese, and English.

These apps used excessive permissions, allowing them total access to the users' smartphones. The apps' main purpose was to overlay login screens on top of various apps.
.........
.........
.........

 

[upnorth]

Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on a technique known as DNS hijacking. When a user attempts to access any website via a compromised router, they will be redirected to a malicious website. For example, if a user were to navigate to securelist.com using a web browser, the browser would be redirected to a rogue server which has nothing to do with the security research blog. As long as the browser displays the original URL, users are likely to believe the website is genuine.

it’s still unclear how the attackers hijacked the router DNS settings. If you have any concerns about the DNS settings on your router, please check the user manual and verify that your DNS settings haven’t been tampered with, or contact your ISP for support. Kaspersky Lab also strongly recommends changing the default login and password for the admin web interface of their router, never install firmware from third-party sources and regularly update router firmware

Source : Roaming Mantis uses DNS hijacking to infect Android smartphones

More about Router Security here : Router Security

 

[Daviworld]

I did notice a uptick in malicious actor's over the last few weeks hitting my router. Trying to find old exploits, port scanning, looking for backdoors, etc. Luckily, I am a network & security professional, so I was easily able to mitigate these threats and go on about my day. At least for myself the attacks have fallen down by quite a bit.

However, I worry about the people who don't have my skill-set, how will they protect their networks? Or, my elderly relatives who just play casino games on their tablet on a default Comcast configured internet router. As for myself, I no longer connect to my relatives networks unless they let me secure it first lol or I'll connect to my vpn first

 

[upnorth]

I worry about the people who don't have my skill-set, how will they protect their networks? Or, my elderly relatives who just play casino games on their tablet on a default Comcast configured internet router.

ISPs that supply a router with there subscription normaly update the router automatic because they test the update before it's released trying avoid as much as possible general issues etc. Ofcourse not all ISPs but atleast those that genuine care about there customers will. It's also imperative to check from time to time if the security settings is still there and not erased/set back to default. That could be a sign of either a simple update or something worse. Always contact the ISP if unsure.

 

[Daviworld]

ISPs that supply a router with there subscription normaly update the router automatic because they test the update before it's released trying avoid as much as possible general issues etc. Ofcourse not all ISPs but atleast those that genuine care about there customers will. It's also imperative to check from time to time if the security settings is still there and not erased/set back to default. That could be a sign of either a simple update or something worse. Always contact the ISP if unsure.

Glad to see some ISPs care, I generally check my grandparents router configs from time to time when I visit for any foul play, but leave everything as default so when other relatives come over they can connect without a hassle. Also, being that IT guy in my family, everyone always has "something" wrong they need me to look at lol, since some family member's have very terrible browsing habits

 

[upnorth]

Normaly doing the few security settings found on Router Security under " Secure Router Configuration - Start With This " shouldn't brick or create any hassel with common internet use either it's local or anyone visit and I wouldn't be surprised if your relatives would love tip number 10.