Comments on: Roaming Mantis implements new DNS changer in its malicious mobile app in 2022

By: Securelist

Securelist — Fri, 03 Feb 2023 08:54:27 +0000

In reply to Tyler Nash. Hi Tyler! This investigation is ongoing, and we withhold such details, so as not to provoke the actor.

By: Tyler Nash

Tyler Nash — Wed, 01 Feb 2023 23:35:54 +0000

How did you determine the amount of downloaded APKs?

By: Securelist

Securelist — Mon, 30 Jan 2023 17:52:50 +0000

In reply to AAA. Hi AAA! We don't share malicious packages, because we are a cybersecurity company. However, we provide file hashes in the IoC section, so if you want, you can try to find APKs by hash on the internet.

By: AAA

AAA — Thu, 26 Jan 2023 01:54:57 +0000

Can I get related APK files?

By: Securelist

Securelist — Tue, 24 Jan 2023 16:09:03 +0000

In reply to Alex. Hi Alex! They do not install valid certificates. We have observed two types of landing pages: those using HTTP, and those using invalid certificates. In both cases the browser shows a warning in the address bar when the landing page is opened.

By: Alex

Alex — Tue, 24 Jan 2023 09:42:28 +0000

Given that most of today’s traffic is TLS encrypted, manipulating hostname resolution is not sufficient for an attack. Does Roaming Mantis also install a rogue root certificate into the device’s trust store?