Kaspersky reports Wroba.o to Google for DNS hijacking

February 1, 2023 - TuxCare PR Team

Kaspersky has discovered a new malicious app known as Wroba.o that uses DNS hijacking to steal victims’ personal and financial information. The app, discovered in the Google Play Store, masquerades as a legitimate app and is tailored to redirect traffic to phishing websites or other malicious domains.

The app is said to have been created by a group called Roaming Mantis. The DNS hijacking was reportedly designed to work only when devices visited the mobile version of a spoofed website, most likely to ensure the campaign went undetected.

DNS (Domain Name System) hijacking is a technique used by the malicious app. After installation, the app connects to the router and tries to log in to its administrative account utilizing default or commonly used credentials, such as admin:admin. When the app is successful, it changes the DNS server to one controlled by the attackers. Devices on the network can then be directed to imposter sites that look legitimate but spread malware or log user credentials or other sensitive data.

DNS hijacking is a technique in which an attacker modifies a website’s Domain Name System (DNS) settings, redirecting traffic intended for a legitimate website to a malicious one. Hackers are compromising DNS servers in this campaign and redirecting victims to fake login pages or other phishing sites designed to steal personal and financial information.

According to the researchers, the hackers have been particularly successful in their attacks on small and medium-sized businesses as well as individuals. To avoid detection, they employ a number of strategies, including the use of multiple domains and IP addresses, as well as encrypted traffic to conceal their activities.

According to the researchers, the malicious app was downloaded by a large number of users before it was discovered and removed from the Google Play Store. Kaspersky has also reported the incident to Google’s security team and the appropriate authorities in order for them to take appropriate action and prevent the app from being distributed.

The researchers say: “Users connect infected Android devices to free/public Wi-Fi in such places as cafes, bars, libraries, hotels, shopping malls, and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the Android malware will compromise the router and affect other devices as well. As a result, it is capable of spreading widely in the targeted regions.”

The sources for this piece include an article in ArsTechnica.

Summary