An ongoing smishing campaign by a Chinese-speaking group has been consistently targeting Android users in Asian countries using different mobile malware such as MoqHao, SpyAgent, and FakeSpy. The latest wave of this campaign has been targeting Japanese users with a new Android malware called SmsSpy.
The latest wave with SmsSpy
The McAfee Mobile Research team has released details about the recent wave of Roaming Mantis’s smishing campaign.
In this attack, the operators attempted to lure their victims by carrying out a smishing attack using fake domains that resembled the target company and its service.
In another variation of attack, a smishing message pretended to be a Bitcoin operator, redirecting the victims to a phishing website that asked users to verify a login attempt.
The recent wave targets Android devices by using one of two variants of SmsSpy depending on the Android OS version used by the targets. The malware pretends to be a Chrome app (on Android 9 or earlier devices) or a Google Play app (on Android 10 or later).
SmsSpy can steal information such as the Android OS version number, phone number, device model, internet connection type, and unique device ID from infected Android devices.
In addition, the smishing campaign delivered MoqHao, SpyAgent, and FakeSpy as well.
Earlier similar campaigns
The Roaming Mantis group has led similar campaigns in the past as well.
In the second half of 2020, the group had launched a smishing campaign with FakeSpy that masqueraded as legitimate postal service apps and transportation services and started targeting users all around the world.
In Aug 2019, the group had targeted Japanese and Korean users using SpyAgent spyware that masqueraded as a security application on Google Play, spying on victims.
In 2017, the group adopted dynamic DNS services. It was observed spreading messages with phishing URLs that infected victims with the fake Chrome application MoqHao.
The use of different mobile malware demonstrates how Roaming Mantis has been consistently putting efforts in developing and modifying its payloads and infrastructure since 2017. Moreover, researchers suspect that this could be the work of more than one group of attackers working together. In any case, organizations and security agencies need to put regular efforts to keep a check on the risks posed by such threats.