Crooks Hijack Router DNS Settings to Redirect Users to Android Malware

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,318
Malware authors have hijacked DNS settings on vulnerable routers to redirect users to sites hosting Android malware.

According to Kaspersky Labs telemetry data, these were small-scale attacks, as crooks only hijacked traffic from just 150 unique IP addresses, redirecting users to malicious sites around 6,000 times between February 9 and April 9, 2018.

But while researchers weren't able to determine how crooks managed to gain access to home routers to change DNS settings, they were able to get their hands on a sample of the Android malware used in these attacks —an unique strain they named Roaming Mantis.
Crooks hid malware in Chrome and Facebook clones

For these attacks, crooks redirected users to pages peddling clones of Android apps like Google Chrome for Android (chrome.apk) and Facebook (facebook.apk).

Both the websites hosting the fake apps and the apps themselves were available in five languages —Korean, Traditional Chinese, Simplified Chinese, Japanese, and English.

These apps used excessive permissions, allowing them total access to the users' smartphones. The apps' main purpose was to overlay login screens on top of various apps.
.........
.........
.........
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on a technique known as DNS hijacking. When a user attempts to access any website via a compromised router, they will be redirected to a malicious website. For example, if a user were to navigate to securelist.com using a web browser, the browser would be redirected to a rogue server which has nothing to do with the security research blog. As long as the browser displays the original URL, users are likely to believe the website is genuine.

it’s still unclear how the attackers hijacked the router DNS settings. If you have any concerns about the DNS settings on your router, please check the user manual and verify that your DNS settings haven’t been tampered with, or contact your ISP for support. Kaspersky Lab also strongly recommends changing the default login and password for the admin web interface of their router, never install firmware from third-party sources and regularly update router firmware

Source : Roaming Mantis uses DNS hijacking to infect Android smartphones

More about Router Security here : Router Security
 
  • Like
Reactions: Daviworld

Daviworld

Level 2
Verified
Feb 19, 2018
60
I did notice a uptick in malicious actor's over the last few weeks hitting my router. Trying to find old exploits, port scanning, looking for backdoors, etc. Luckily, I am a network & security professional, so I was easily able to mitigate these threats and go on about my day. At least for myself the attacks have fallen down by quite a bit.

However, I worry about the people who don't have my skill-set, how will they protect their networks? Or, my elderly relatives who just play casino games on their tablet on a default Comcast configured internet router. As for myself, I no longer connect to my relatives networks unless they let me secure it first lol or I'll connect to my vpn first
 
  • Like
Reactions: upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
I worry about the people who don't have my skill-set, how will they protect their networks? Or, my elderly relatives who just play casino games on their tablet on a default Comcast configured internet router.

ISPs that supply a router with there subscription normaly update the router automatic because they test the update before it's released trying avoid as much as possible general issues etc. Ofcourse not all ISPs but atleast those that genuine care about there customers will. It's also imperative to check from time to time if the security settings is still there and not erased/set back to default. That could be a sign of either a simple update or something worse. Always contact the ISP if unsure.
 
  • Like
Reactions: Daviworld

Daviworld

Level 2
Verified
Feb 19, 2018
60
ISPs that supply a router with there subscription normaly update the router automatic because they test the update before it's released trying avoid as much as possible general issues etc. Ofcourse not all ISPs but atleast those that genuine care about there customers will. It's also imperative to check from time to time if the security settings is still there and not erased/set back to default. That could be a sign of either a simple update or something worse. Always contact the ISP if unsure.

Glad to see some ISPs care, I generally check my grandparents router configs from time to time when I visit for any foul play, but leave everything as default so when other relatives come over they can connect without a hassle. Also, being that IT guy in my family, everyone always has "something" wrong they need me to look at lol, since some family member's have very terrible browsing habits
 
  • Like
Reactions: upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Normaly doing the few security settings found on Router Security under " Secure Router Configuration - Start With This " shouldn't brick or create any hassel with common internet use either it's local or anyone visit and I wouldn't be surprised if your relatives would love tip number 10. (y):giggle:
 
  • Like
Reactions: Daviworld

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top