The Roaming Mantis operation has now targeted Android and iOS users in France, compromising thousands of devices after troubling superpowers such as the UK, US, Japan, and others in its previous campaigns.
Active since 2018, the malicious campaign is a work of a financially motivated Chinese threat actor group with the same. The group has been targeting European countries since the beginning of 2022.


In February, Kaspersky reported that Roaming Mantis had extended its attacks to France and Germany using a new version of MoqHao banking trojan. The trojan was distributed via SMS phishing (smishing) attacks and malicious apps.
  • Typically the messages contained a short description and a URL to a landing page that enticed the users into downloading malware on their android or iOS devices.
  • On clicking the URL, the iOS users were redirected to a phishing page imitating the official Apple website that asked them to share their Apple login credentials.
  • Meanwhile, the Android users were directed to a site that delivered malicious APK files that caused the download of XLoader malware.
  • The malicious APK launched a Chrome installation and requested many rights, including the ability to read SMS and make phone calls.
  • Notably if the user was outside of France, the landing page showed a 404 error, and the attack was terminated.

What’s the latest update?

  • In a new update, SEKOIA researchers revealed that the ongoing Roaming Mantis campaign has infected around 70,000 Android devices in France. The same campaign also dropped the MoqHao banking trojan to infect iOS devices.
  • The Android devices were infected by XLoader malware that includes remote access, information stealing, and SMS spamming capabilities.
  • The activity leveraging MoqHao or Apple IDs’ credential harvesting pages enabled Roaming Mantis to access data from the local system, SD card, applications, messages or contact list, iCloud backups, iMessage, and call history.

More details

  • SEKOIA researchers also confirmed that more than 90,000 unique IP addresses were found distributing the MoqHao banking trojan.
  • It is likely that the stolen data could be further used in extortion schemes, sold to other threat groups, or leveraged in “Big Game Hunting” operations.
  • The number of iOS users affected by the Roaming Mantis phishing page is unknown and could be the same or even higher.

Cross-platform threat on a rise

In June, an Italian spyware vendor—discovered by Google's TAG—collaborated with ISPs to infect Android and iOS users in Italy and Kazakhstan. In this campaign, hackers urged users to install malicious apps if they wish to get back online after their ISP cut the internet.


Roaming Mantis’ operations continue to spread throughout Europe with France as its new target. Smartphone users are advised to stay cautious when they receive SMS offers to install apps. Furthermore, before installing apps, a user must verify the legitimacy of it.
Cyware Publisher