Roaming Mantis Operators Use Fake SMS Messages to Lure European Targets

What’s in the campaign?

• The phishing lure contains a very short description related to a fake delivery package and a URL to a landing page. 
• On clicking the link and opening the landing page, iOS users are redirected to a phishing page imitating the official Apple website, where it attempts to steal the user's Apple login credentials.
• Android users are taken to a phishing page impersonating apps such as Google Chrome, the Yamato transport, and ePOST apps, where it attempts to download the Wroba malware on Android devices.

Tools and tactics

• In its most recent form, the criminal group has used a trojan named 'Wroba' (Wroba.g/Wroba.o) to target users via compromised legitimate websites.
• Moreover, Wrogba loader and payload’s programming language was changed from Java to Kotlin, a language with great interoperability with Java, in this campaign.
• The developer has altered some malicious backdoor commands to focus on stealing galleries and photos from infected devices in recent campaigns.

How far it goes

• The most recent Roaming Mantis campaign grabbed the attention of the German police and French media. They had alerted users about smishing messages with package notifications and compromised websites used as landing pages.
• Between July 2021 and January 2022, Wroba.g and Wroba.o were detected in many regions, including France, Japan, India, China, Germany, and Korea.
• In September 2021, for a single day, the stats for the Roaming Mantis campaign include tens of thousands of malicious APK downloads in Europe.

Conclusion