A new Android app has been discovered that tricks unsuspecting users (even those with clean devices) into visiting malicious versions of popular websites, which may end up revealing login details or worse, money.
The findings come courtesy of Kaspersky, which discovered that a malicious Android app containing Wroba.o/Agent.eq (aka Moqhao, XLoader) malware was being distributed.
Once downloaded, the app will try to connect to the Wi-Fi router to which your mobile device is connected. To do this, it will try the most common username and password combinations, as well as those known to come with factory settings (such as admin/admin). If successful, it will change the DNS server to a malicious server controlled by the threat actor.
This allows malware operators to redirect all users connected to that particular WiFi network, including those without malware, to malicious versions of popular websites.
For example, if an infected endpoint connects to a public Wi-Fi network in a crowded coffee shop and ends up changing the DNS server settings on the router, everyone else in that coffee shop who tries to connect to Facebook will actually be redirected to a fake Facebook page. There, they will be asked to enter their login details and if they do, they will end up giving their login details to scammers.
The researchers did not provide the names of the distributed apps, but said the APKs were downloaded at least 46,000 times in Japan, Austria, France, Germany, South Korea, Turkey, Malaysia and India. With over 24,000 downloads, Japan is by far the most affected country.
The group behind the apps is allegedly Roaming Mantis. To protect against these types of attacks, the best solution would be to avoid connecting to important accounts on public Wi-Fi networks.
By: ArsTechnica (opens in a new tab)