Hacker group incorporates DNS hijacking in its malicious website campaign

Hacker group incorporates DNS hijacking in its malicious website campaign

The concept of DNS hijacking.
Increase / The concept of DNS hijacking.

Researchers have discovered a malicious Android app that can interfere with the wireless router the infected phone is connected to and force the router to send all network devices to malicious sites.

The malicious app, discovered by Kaspersky, uses a technique known as DNS (Domain Name System) hijacking. Once the app is installed, it connects to the router and tries to log in to its admin account using default or commonly used credentials, such as admin:admin. When successful, the app then changes the DNS server to a malicious one controlled by the attackers. From there, devices on the network can be directed to imposter sites that mimic legitimate ones but spread malware or user login credentials or other sensitive information.

Able to spread widely

“We believe that the discovery of this new DNS changer implementation is very important in terms of security,” Kaspersky researchers wrote. “The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings.”

The researchers continued: “Users of infected Android devices connect to free/public Wi-Fi in places such as cafes, bars, libraries, hotels, shopping centers and airports. Once connected to a targeted Wi-Fi model with vulnerable settings, Android malware will compromise the router and infect other devices as well. As a result, it is able to spread widely in the targeted regions.”

DNS is the mechanism that matches a domain name like ArsTechnica.com to, the numeric IP address where the site is hosted. DNS lookups are performed by servers operated by a user’s ISP or services from companies such as Cloudflare or Google. By changing the DNS server address in a router’s admin panel from a legitimate one to a malicious one, attackers can cause all devices connected to the router to find malicious domain lookups that lead to similar sites used for cybercrime.

The Android app is called Wroba.o, and it has been used for years in various countries, including the US, France, Japan, Germany, Taiwan and Turkey. Strangely enough, the DNS hijacking technique that the malware can use is almost exclusively in South Korea. From 2019 to most of 2022, attackers lured targets to malicious sites sent via text messages, a technique known as Smishing. Late last year, the attackers incorporated DNS hijacking into their activities in that Asian nation.

Infected flow with hijacking and DNS spoofing.
Increase / Infected flow with hijacking and DNS spoofing.

The attackers, known as Roaming Mantis in the security industry, designed the DNS hijacking to work only when devices visit the mobile version of a spoofed website, most likely ensuring the campaign goes unnoticed.

Although the threat is serious, it has a major shortcoming—HTTPS. A domain name like ArsTechnica.com is associated with a private encryption key known only to the site operator with Transport Layer Security (TLS) certificates that underpin HTTPS. People directed to a malicious site masquerading as Ars Technica using a modern browser will receive warnings that the connection is not secure or be asked to approve a self-signed certificate, a practice that users should never follow.

Another way to combat the threat is to ensure that the password protecting the router’s administrative account is changed from the default one to a strong one.

However, not everyone is familiar with such best practices, leaving them open to visiting a malicious site that looks almost identical to the legitimate one they intended to access .

“Users with infected Android devices that connect to free or public Wi-Fi networks can spread the malware to other devices on the network if the Wi-Fi network they’re connected to is vulnerable,” a report said Thursday. “Kaspersky experts are concerned about the possibility that the DNS changer could be used to target other regions and cause significant problems.

Leave a Reply

Your email address will not be published. Required fields are marked *