Users of Android and iOS smart devices take note:

Global cybersecurity firm Kaspersky has been actively monitoring more attacks against Android and iOS devices by the Anubis and Roaming Mantis mobile banking trojans.

As far back as 2017, Anubishad been targeting Android users from China, Columbia, Denmark, France, Germany, India, Russia, Turkey, the US and Vietnam and continues to be one of the most common mobile malware. In Q2 2022, Kaspersky’s mobile incident statistics showed that Anubis attacks comprise 10.48% of its users globally.

The malware infects devices via multiple pathways, including legitimate-looking and popular apps on Google Play; phishing messages sent through SMS; and BianLian malware, another mobile banking trojan.

According to Suguru Ishimaru, the firm’s Senior Malware Researcher: “Anubis is known for compromising hundreds of bank customers per campaign, proving that it’s among the most active malware targeting Android users right now. Our recent findings show that the cybercriminals behind this threat have started implementing ransom functionalities. If this modification proves to be successful, chances are other malicious groups will copy the same technique of stealing data and holding devices hostage. As a result, I expect to see more of such attacks in APAC due to cybercriminals’ strong financial motivation.”

Roaming Mantis targets iOS users
Another prolific mobile banking threat against not only Android and now iOS users is Roaming Mantis. The malware has been operating since 2018 and has been responsible for almost half a million attacks in China, India, Japan, Russia, South Korea and the Asia Pacific region from 2021 to the first half of 2022.

While the cybercriminal group is known for targeting Android devices, Roaming Mantis’ recent campaign showed interest in iOS users via employment of the same techniques as Anubis. Smishing messages targeting iOS users will typically contain a very short description and a URL to a landing page. If a user activates the link and opens the landing page, there are two scenarios: iOS users are redirected to a phishing page imitating the official Apple website, while Android users will get infected by the Wroba malware.

Should a victim submit login credentials to the phishing website, the latter will then proceed to a fake two-factor authentication phishing website. This allows the attacker to know the user’s device, credentials, and 2FA codes. Ishimaru commented that mobile malware groups are getting increasingly sophisticated in deploying social engineering and malware techniques, exploiting the possibility of mobile users making mistakes.

“Remember that both Anubis and Roaming Mantis require victims’ participation before they can take over a device. With 63% of online digital payments in APAC transacted via mobile devices, everyone should be taking more measures to protect their smartphones by now,” Ishimaru concluded.