Malicious app by the name of Roaming Mantis is stealing money through a Phishing scam from iPhone and Android phone users. Over 10,000 have been attacked.
The Roaming Mantis Phishing Scam has attacked over 10000 iPhone and Android phone users in France. It is believed to be a financially-motivated malware that started attacking European users and stealing their money in February 2022. And now it has been found to be very active in France. As reported by cybersecurity company SEKOIA, the Roaming Mantis group sends a dangerous malware called XLoader (MoqHao) to devices via SMS and trick users into downloading malware containing apps on their Android devices. iPhone users are redirected to a phishing page for Apple credentials. The report says that this malware can get remote access and also does SMS spamming.
How does this Roaming Mantis Phishing Scam attack users?
SEKOIA shared that the Roaming Mantis campaign first sends an SMS to the targeted users, urging them to follow a URL. The text message contains information about a package that has been sent to them and the users need to review and arrange its delivery. And if the users are using an iPhone or other iOS devices, they are directed to a phishing page that steals users’ Apple credentials while Android users are redirected to a site that delivers the installation file for a mobile app, (an Android Package Kit – APK).
The APK further mimics a Chrome installation, asking for permissions to access SMS, phone calls, reading and writing storage, handling system alerts, getting accounts list, and more. Once the permissions are granted by innocent and unwary victims, the malware enters the phone and steals all the crucial data. Permission to Apple iPhone IDs’ credential provides Roaming Mantis access to data from the local system, like SD card, applications, messages or contact list, iCloud backups, iMessage, call history. It even allows attackers to establish remote interaction with a victims’ device.
SEKOIA also shared that over 90,000 unique IP addresses have requested XLoader from the main C2 server so far. This means the victim pool might be pretty large. Many in France have alerted others about this phishing scam on Twitter, and on French websites.