French and German iPhone and Android users have recently been the target of the Roaming Mantis campaign, a campaign that aims to get personal information from victims by using SMS phishing (smishing) pages and fraudulent apps. For Apple users, they receive a message with a link that if clicked will take them to a lookalike Apple site, and if they attempt to login, their credentials will be stolen. Android users on the other hand are taken to various other fake sites such as Google Chrome where the Wroba malware is attempted to be downloaded. The Wroba loader malware’s language was recently changed to Kotlin from Java. Some tweaks have been made to the command lines of the malware that allows it to steal photos from victim phones in some of the more recent campaigns. The French and German police are aware of the recent campaign and have been notifying residents of their respective countries. While the Roaming Mantis campaign has remained somewhat quiet since coming into fruition in 2018, they have recently been expanding since July of 2021.
Analyst Notes
iPhone users should be more cautious if they are visiting sites asking them to input login or personal information. Just like on a laptop or a PC, URLs should be checked to make sure they are legitimate. For Android users, considering a program such as McAfee Mobile Security would help detect the presence of mobile malware and potentially avoid loss of data.
https://cyware.com/news/roaming-mantis-operators-use-fake-sms-messages-to-lure-european-targets-916e0ea0
