Globe-trotting Roaming Mantis malware is hitting Android and iOS users alike

A white padlock on a dark digital background.
(Image credit:

Roaming Mantis, an Android malware operation that aims to steal sensitive data, and potentially even money, from its victims, has now set its sights to the people of France, cybersecurity researchers are saying. 

Before targeting the French, Roaming Mantis attacked people in Germany, Taiwan, South Korea, Japan, the US, and the U.K., BleepingComputer reports.

This is not the same thing as the Mantis botnet, which recently emerged as one of the largest and most powerful botnets to ever appear.

Tens of thousands of victims

The operation migration was spotted by cybersecurity researchers from SEKOIA. After analyzing the campaign, the researchers discovered that the methodology hasn’t changed much: the victims would first get an SMS, and depending on whether they’re an iOS, or Android user, would be redirected to different sites. 

Apple users would be redirected to a phishing page where the attackers would try and trick them into giving away their credentials, while Android users would be invited to download XLoader (MoqHao), powerful malware that allows threat actors remote access to the compromised endpoint, access to sensitive data, as well as SMS apps (possibly to expand the operation further). 

The researchers believe Roaming Mantis roamed to France in February 2022. Users outside the country, getting the SMS, are safe, as the servers will show a 404 and stop the attack. 

Apparently, the campaign is quite a success, as more than 90,000 unique IP addresses have downloaded XLoader from the main command & control server so far, the researchers have found. With iOS users in the mix, the number grows even further but is, unfortunately, impossible to determine. 

Roaming Mantis is also quite good at keeping a low profile and evading antivirus solutions. It gets C2 configuration from hardcoded Imgur profile destinations, further encoded in base64, it was said. 

Other than that, the campaign’s infrastructure is mostly the same, compared to April, when it was last analyzed, the publication found. The servers still have open ports at TCP/443, TCP/5985, TCP/10081, and TCP/47001, and use the same certificates.

“Domains used inside SMS messages are either registered with Godaddy or use dynamic DNS services such as,” SEKOIA said. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.