Roaming Mantis targets Android and iOS

Roaming Mantis targets Android and iOS

Roaming Mantis malware that targets Android and iOS devices is detected in France after hitting Germany, Taiwan, South Korea, Japan, the US, and the UK. This malware did compromise tens of thousands of devices and is believed to be a financially motivated threat actor, which was first reported in February 2022 targeting European users.

MoqHao (aka Wroba, XLoader for Android) is an Android Remote Access Trojan (RAT) with information-stealing and backdoor capabilities that spread via SMS. It is attributed to Roaming Mantis, which is thought to be a Chinese threat organization with financial motivations.

How the Malware works

The threat actor uses SMS to lure users into making them download the malware onto their devices. This smishing campaign was first observed by analysis through malicious SMS received.

The SMS says that “Your package has been sent. Please check it and receive” and contains a link. If any user clicks on that link, the users are redirected to a phishing page designed according to the device they have and the location they are at. Now, the Roaming Mantis is detected in France and the messages received are in French.

iPhone users receive an SMS with a link to a phishing site that can steal Apple credentials. But for Android users, the SMS pushes them to install a mobile app – an Android Package Kit (APK). But for any user outside France, the URL redirects to a 404 error.

The infrastructure of the threat

Analysts of this threat report that the infrastructure of Roaming Mantis has not changed much when compared to the last analysis done in April.

As the threat is targeting both iOS and Android devices, there are two different infection chains detected.

  1. Android Payload

The servers have the ports like TCP/443, TCP/5985, TCP/10081, and TCP/47001 open. These servers are set to target only one country and traffic from any other country is set to display a 404 error.

  1. Apple Phishing

The servers have TCP/80, TCP/5432, TCP/5985, and TCP/47001 open. The landing page is designed in a way that replicates the Apple ID login page. Same as the Android infrastructure, this is also geofencing and any traffic from other countries results in a 404 error.


The domains used inside the Smishing SMS are found to be registered in either “GoDaddy” or dynamic DNS servers like “”. The intrusion set uses more than a hundred subdomains, and each IP address is resolved by dozens of FQDNs.

Do not fall victim to Mantis

To prevent Roaming Mantis and other Android malware from infecting your device, you should never allow the installation of apps from untrusted sources, and you should never download APKs from strange sites.

Furthermore, SMS texts that contain URLs should always be treated with caution and suspicion, even if they come from someone you know. If you have even a slight doubt about the sender of the SMS, instead of opening the URL in it, try visiting the vendor that it disguises as directly.

Finally, given that analysts actively monitor these activities, an Android internet security solution from a reliable vendor could assist flag these URLs upon accessing them.