The Roaming Mantis threat group has made headlines yet again with the distribution of the well-known Android malware family called “MoqHao.” This particular malware family has previously targeted Asian countries such as Korea and Japan. However, the group has recently employed a new variant of the MoqHao malware that poses an even greater threat.
In the past, the MoqHao malware required user interaction to install and launch the app. However, this new variant has evolved to bypass the need for execution. This means that it can now launch automatically after installation without any input from the user.
Despite the potential for widespread damage, Android currently has a line of defense in the form of Google Play Protect. This app scanner, which comes as the default protection for Android devices, aims to warn users or block applications that exhibit malicious behavior.
The distribution method employed by the threat actors involves sending phishing SMS messages to users containing malicious shortened links. Once the user clicks on the link, the device automatically downloads the malicious application.
The new MoqHao variant has several distinct behaviors different from previous versions of the malware. A notable change is that it doesn’t require user interaction when launching the app, making it even more dangerous.
This new threat has revealed several worrying strategies used by the threat actors. They have leveraged social engineering techniques to set the malicious app as a default SMS app and have extended their reach to countries such as South Korea, France, Germany, and India.
Moreover, the new malware connects with a C2 server through WebSocket and is equipped with additional commands for checking SIM state, sending SMS messages to other contacts and C2 servers, setting Sound/Vibrate/Silent mode, and various other purposes.
McAfee has provided comprehensive information about the malware, including details on its source code, deployment techniques, affected targets, and other critical insights about the threat.
In addition, the threat actors have employed various commands within the malware for different purposes, such as sending SMS messages, checking the SIM state, setting the device’s mode, sending HTTP requests, and more. This suggests a highly sophisticated and multifaceted threat.
Staying on top of cybersecurity news and updates is vital, especially in today’s cyber threat landscape. It is important for organizations and individuals to be vigilant, implement the latest security measures, and be aware of the indicators of compromise of the MoqHao malware. This will help ensure that they are protected against this evolving threat.
As cybersecurity threats continue to evolve, it is essential for users and organizations to stay informed about the latest developments and to take proactive measures to protect themselves from potential attacks. This includes implementing robust cybersecurity solutions, keeping systems updated with the latest security patches, and educating users about the risks and best practices for staying safe in a digitally connected world.