Android and iOS users are targeted by Roaming Mantis malware and phishing attacks

Share This Post

FBI warns of fake cryptocurrency apps used to defraud investors
Dropping XLoader. In a report published today, researchers at cybersecurity company SEKOIA say that the Roaming Mantis group is now dropping on Android devices the XLoader (MoqHao) payload, a powerful malware that counts features such as remote access, information stealing, and SMS spamming. The ongoing Roaming Mantis campaign is targeting French users and starts with an SMS sent to prospective victims, urging them to follow a URL.

Following attacks on users of Android and iOS in Germany, Taiwan, South Korea, Japan, the US, and the UK, the Roaming Mantis operation turned its attention to France, possibly compromising tens of thousands of devices. It is thought that Roaming Mantis is a financially driven threat actor that began concentrating on European consumers in February. In a recent effort, the threat actor lured consumers into downloading malware on their Android devices using SMS communication. The potential victim is forwarded to a phishing page seeking Apple credentials if they are an iOS user.


  • The command and control (C2) configuration is retrieved from hardcoded Imgur profile destinations which are encoded in base64 to evade detection. Decrypting the string to derive the final IP address. Decrypting the string to derive the final IP address (SEKOIA). SEKOIA confirmed that over 90,000 unique IP addresses have requested XLoader from the main C2 server so far, so the victim pool might be significant.

  • The text message informs about a package that has been sent to them and which they need to review and arrange its delivery. If the user is located in France and are using an iOS device, they are directed to a phishing page that steals Apple credentials. Android users are pointed to a site that delivers the installation file for a mobile app, (an Android Package Kit – APK). The APK executes and mimics a Chrome installation, requesting risky permissions such as SMS interception, making phone calls, reading and writing storage, handling system alerts, getting accounts list, and more.

The number of iOS users who have handed over their Apple iCloud credentials on the Roaming Mantis phishing page is unknown and could be the same or even higher. Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives.


Related Posts

1 emerging pilot Apple Investors may have ignored

More specifically, Apple’s iPhone revenue increased to $40.7 billion...

According to Apple, this new iOS 16 feature would permanently destroy passwords

According to Apple(opens in new tab), passkeys will be...

According to Apple, this new iOS 16 feature would permanently destroy passwords

According to Apple(opens in new tab), passkeys will be...

Apple Card’s popularity is the cause of Goldman Sachs’ problems

Anonymously, several inside sources talked to CNBC about the...

OnePlus Ace Pro, the twin of OnePlus 10T, is now available for purchase

Design-wise, this phone is identical to the OnePlus 10T....