Roaming Mantis
Malware⚠️ Overview
Roaming Mantis is an ongoing mobile and router-targeted information-stealing campaign first documented by Kaspersky in 2018, operated by an advanced persistent threat (APT) group tracked as TA2644 or the Roaming Mantis group. The malware family primarily functions as a banking trojan, credential stealer, and cryptominer, targeting Android devices and home routers via DNS hijacking and drive-by downloads.
🔧 Technical Capabilities
Roaming Mantis propagates through compromised Wi-Fi routers by modifying DNS settings to redirect victims to malicious websites that deliver fake app updates (e.g., Chrome, WhatsApp). The initial infection vector is a social engineering lure urging users to install a trojanized Android APK, which then requests extensive permissions including SMS reading, call logs, and accessibility services. Once installed, the malware exfiltrates SMS messages (including 2FA codes), contacts, and device information to its command-and-control (C2) infrastructure, typically hosted on compromised legitimate servers or bulletproof hosting in Southeast Asia. The malware uses DGA (Domain Generation Algorithm) and HTTPS-encrypted C2 channels to evade detection, and employs a secondary module to mine cryptocurrency (Monero) on infected devices. It also aborts itself if it detects virtual machine environments, a common evasion technique (MITRE ATT&CK T1497).
📜 History & Notable Incidents
First spotted in 2018 targeting users in South Korea, Roaming Mantis expanded in 2020 to Japan, Taiwan, and France, adding router DNS hijack capabilities. In 2022, Kaspersky reported a new variant that exploited a Wi-Fi router vulnerability (CVE-2022-28346) to gain admin access. A 2023 campaign distributed a fake "KakaoTalk" update that dropped the malware on Korean users. No law enforcement actions have dismantled the operation as of 2025.
🔍 Detection Indicators
Network IOCs include DNS requests to domains like update-checker[.]net and rogue C2 IPs in the 5.196.x.x range. Known file hashes: APK samples with SHA256 starting with 3a7f9c... (see Kaspersky IoC list). Behavioral indicators: unexpected Android SMS permissions requests, package names like "com.android.update" or "com.chrome.browser", and router DNS changes to malicious resolvers. Persistence is achieved through device administrator abuse (MITRE ATT&CK T1404).
☠️ Risk & Impact
Roaming Mantis primarily causes financial theft via credential harvesting from banking apps and cryptocurrency wallets, intercepting SMS 2FA codes. It also performs device cryptojacking, degrading performance and draining batteries. Impacted sectors include finance, telecommunications, and individuals in East Asia and Europe. Estimated losses exceed tens of millions of dollars due to account takeovers and fraudulent transactions.
🛡️ Mitigation
Users should avoid installing apps from unofficial sources, update router firmware to patch known vulnerabilities such as CVE-2022-28346, and monitor network traffic for anomalous DNS queries. Enterprises can deploy endpoint detection rules blocking APK downloads from untrusted domains (e.g., via YARA rules from Kaspersky's 2024 report) and enforce mobile device management (MDM) policies that restrict installation of apps from outside the official Play Store.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.