Roaming Mantis added some extra spreading capabilities, now using phishing text messages which contain malicious URLs designed to redirect the user to a website which installs the FakeSpy Android malware that steals information from Korean and Japanese users.
The cyber crooks also use the prezi.com website which hosts dynamic presentations. The victims are redirected to a specially crafted presentation containing code which would send them to malicious web pages created to either install malware or use the target's computer as a crypto miner. This propagation method is not working at the moment because of coding errors made by the crooks.
GReAT also found a database of records containing more than 4800 entries (in June 2018), with passwords, banking, and credit card info, as well as names, phone numbers, and personal information, which they consider to be data collected during the Roaming Mantis campaign.
As mitigation measures, GReAT recommends Android users to disable the option which allows their device to install applications from third-party repositories.
