New malware targeting Android devices in Thailand – here’s how to stay safe


Security experts are warning about a new form of Android malware that is targeting devices in Thailand.

The malware, dubbed Roaming Mantis, was discovered by researchers at Kaspersky Labs and infects devices via a technique known as DNS hijacking.

DNS hijacking occurs when hackers change the settings on your Wi-Fi router to intercept traffic and redirect you to fake websites in order to steal credit card details, passwords and other sensitive data. Typically the fake websites look exactly like legitimate websites you use regularly.

The DNS or domain name system helps connect your device to a website by translating IP addresses to a particular domain.

DNS hijacking is a big problem and if a hacker managed to compromise the settings on your router they can pretty much direct you to any website they like and often you’d be none the wiser.

According to Kaspersky Labs, hackers are using compromised routers to send Android users to fake versions of legitimate websites.

Image: Kaspersky

The fake sites then display a pop up that reads “To better experience the browsing, update to the latest chrome version.”

If you tap “OK” your phone then downloads a fake version of Google Chrome includes the Roaming Mantis malware.

Once the fake version of Chrome is installed on your device it then asks you to hand over permission for it to access account information, the management of calls and SMS, device storage, the ability to record audio, install packages and draw overlay windows.

Once the permissions are granted, the Roaming Mantis malware is installed on the device and you will then be presented with a warning which reads “Account No.exists risks, use after certification.”

If you hit “Enter” it will then send you to a fake version of Google where you will be asked for your name and date of birth linked to your Gmail account.

And because you already gave it permission to view your SMS, the hackers behind the malware can intercept any messages that include the two factor authentication codes sent to your device.

This potentially leaves all your social media, bank, email and any other accounts that have two factor authentication enabled.

The malware supports 4 different languages: Korean, Simplified Chinese, Japanese and English.

However, according to Kaspersky’s report, Thailand is one of the countries where users have been targeted. Kaspersky said around 6,000 instances of the malware had been discovered to far but that figure was expected to rise.

The advice to Android users is, as always, make sure you only ever download apps from the Google Play Store and that you have an anti-virus app installed on your device and that all apps are kept up to date.

Also make sure you are running the most up to date version of Android possible on your device.

If you think your device has already been infected with the malware, you may need to contact your ISP to update the DNS settings on your router.


Comments are closed.