Roaming Mantis Expands Android Backdoor to Europe

The ‘smishing’ group lives up to its name, expanding globally and adding image exfiltration to the Wroba RAT it uses to infect mobile victims.

The Roaming Mantis Android malware campaign has buzzed into Europe, quickly infesting France in particular, where there have been 66,789 downloads of the group’s specific remote access trojan (RAT) as of January.

The campaign pushes the Android RAT known as Wroba (aka Moqhao or XLoader) onto victim devices. According to research from Kaspersky, it has been updated with the ability to exfiltrate images and galleries from a victim device, which potentially paves the way for lifting sensitive information from things like drivers’ licenses, abusing stored QR codes for payment services, or even for blackmail or sextortion.

Roaming Mantis has been on the move since 2018, mostly observed in Japan, South Korea and Taiwan. Now, its arrival in France has resulted in that country seeing the highest volume of attacks worldwide, according to researchers at Kaspersky. There have also been detections in Germany.

“The actor is focusing on expanding infection via smishing to users in Europe,” Kaspersky researchers noted in a Monday writeup. “The campaign in France and Germany was so active that

Read More: