Android Malware ‘Roaming Mantis’ expanded to include Europe

In March 2018, Roaming Mantis was discovered when infected routers in Japan were redirecting visitors to corrupted websites. Roaming Mantis is a virus and credential theft campaign that uses smishing to spread malicious Android apps in the form of APK files.

As of January, the malware campaign had spread across Europe, infecting France in particular, with 66,789 downloads of the group’s unique Remote Access Trojan (RAT).

The current round of operations, dubbed Roaming Mantis, involves sending bogus shipping-related messages including a URL to a landing page from which Android users are infected with the banking trojan Wroba, while iPhone users are led to a phishing page posing as the official Apple website.

It’s been a while, but we’ve seen some fresh Roaming Mantis operations in 2022, as well as some updates to the Android Trojan Wroba, which is primarily employed in this campaign. We also observed that, in addition to Japan, Taiwan, and Korea, France and Germany have been included as key targets of Roaming Mantis.