The malicious app named Roaming Mantis is stealing money from iPhone and Android phone users through phishing scams. Over 10,000 have been attacked.
Roaming Mantis phishing scam has attacked more than 10000 iPhone and Android phone users in France. It is believed to be a financially motivated malware that started attacking European users and stealing their money in February 2022. And now it appears to be very active in France. As reported by cybersecurity company SEKOIA, the Roaming Mantis group sends a dangerous malware called XLoader (MoqHao) to devices via SMS and tricks users into downloading apps containing the malware on their Android devices. iPhone users are redirected to a phishing page asking for Apple credentials. Reports say that this malware can gain remote access and also do SMS spamming.
How does this roaming mantis phishing scam attack users?
SEKOIA shared that the Roaming Mantis campaign first sends an SMS to targeted users, asking them to follow a URL. The text message contains information about a package that has been sent to them and users need to review and arrange its delivery. And if users use an iPhone or other iOS device, they are directed to a phishing page that steals users’ Apple credentials while Android users are redirected to a site that provides installation files for a mobile app, (an Android package kit – APK).
The apk also simulates a Chrome installation, asking for permissions to access SMS, phone calls, read and write storage, manage system alerts, get a list of accounts, and more. If allowed by the innocent and unwary victims, the malware enters the phone and steals all the important data. Apple iPhone ID certificate permission gives Roaming Mantis access to data from local system, such as SD card, applications, message or contact list, iCloud backup, iMessage, call history. It even allows attackers to establish remote interactions with victim devices.
SEKOIA also shared that so far more than 90,000 unique IP addresses have requested XLoader from the main C2 server. This means the prey pool can be quite large. Many in France warned others about this phishing scam on Twitter and on French websites.