{"id":121525,"date":"2021-05-05T11:17:02","date_gmt":"2021-05-05T18:17:02","guid":{"rendered":"\/blogs\/?p=121525"},"modified":"2024-06-25T22:52:57","modified_gmt":"2024-06-26T05:52:57","slug":"roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/","title":{"rendered":"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware"},"content":{"rendered":"

The Roaming Mantis<\/a> smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users since 2018. In the second half of 2020, the campaign improved its effectiveness by adopting dynamic DNS services and spreading messages with phishing URLs that infected victims with the fake Chrome application MoqHao<\/a>.<\/p>\n

Since January 2021, however, the McAfee Mobile Research team has established that Roaming Mantis has been targeting Japanese users with a new malware called SmsSpy. The malicious code infects Android users using one of two variants depending on the version of OS used by the targeted devices. This ability to download malicious payloads based on OS versions enables the attackers to successfully infect a much broader potential landscape of Android devices.<\/p>\n

Smishing Technique<\/h2>\n

The phishing SMS message used is similar to that of recent campaigns, yet the phishing URL contains the term \u201cpost\u201d in its composition.<\/p>\n

During our investigation, we observed the phishing website hxxps:\/\/bitfiye[.]com redirect to hxxps:\/\/post.hygvv[.]com. The redirected URL contains the word \u201cpost\u201d as well and follows the same format as the first screenshot. In this way, the actors behind the attack attempt to expand the variation of the SMS phishing campaign by redirecting from a domain that resembles a target company and service.<\/p>\n

Malware Download<\/h2>\n

Characteristic of the malware distribution platform, different malware is distributed depending on the Android OS version that accessed the phishing page. On Android OS 10 or later, the fake Google Play app will be downloaded. On Android 9 or earlier devices, the fake Chrome app will be downloaded.<\/p>\n

Because the malicious program code needs to be changed with each major Android OS upgrade<\/a>, the malware author appears to cover more devices by distributing malware that detects the OS, rather than attempting to cover a smaller set with just one type of malware<\/p>\n

Technical Behaviors<\/h2>\n

The main purpose of this malware is to steal phone numbers and SMS messages from infected devices. After it runs, the malware pretends to be a Chrome or Google Play app that then requests the default messaging application to read the victim\u2019s contacts and SMS messages. It pretends to be a security service by Google Play on the latest Android device. Additionally, it can also masquerade as a security service on the latest Android devices.<\/p>\n

After hiding its icon, the malware establishes a WebSocket connection for communication with the attacker\u2019s command and control (C2) server in the background. The default destination address is embedded in the malware code. It further has link information to update the C2 server location in the event it is needed. Thus, if no default server is detected, or if no response is received from the default server, the C2 server location will be obtained from the update link.<\/p>\n

The MoqHao family hides C2 server locations in the user profile page of a blog service, yet some samples of this new family use a Chinese online document service to hide C2 locations.<\/p>\n

As part of the handshake process, the malware sends the Android OS version, phone number, device model, internet connection type (4G\/Wi-Fi), and unique device ID on the infected device to the C2 server.<\/p>\n

Then it listens for commands from the C2 server. The sample we analyzed supported the commands below with the intention of stealing phone numbers in Contacts and SMS messages.<\/p>\n\n\n\n\n\n\n\n\n
Command String<\/td>\nDescription<\/td>\n<\/tr>\n
\u901a\u8baf\u5f55<\/td>\nSend whole contact book to server<\/td>\n<\/tr>\n
\u6536\u4ef6\u7bb1<\/td>\nSend all SMS messages to server<\/td>\n<\/tr>\n
\u62e6\u622a\u77ed\u4fe1&open<\/td>\nStart <Delete SMS message><\/td>\n<\/tr>\n
\u62e6\u622a\u77ed\u4fe1&close<\/td>\nStop <Delete SMS message><\/td>\n<\/tr>\n
\u53d1\u77ed\u4fe1&<\/td>\nCommand data contains SMS message and destination number, send them via infected device<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table: Remote commands via WebSocket<\/em><\/p>\n

Conclusion<\/h2>\n

We believe that the ongoing smishing campaign targeting Asian countries is using different mobile malware such as MoqHao<\/a>, SpyAgent<\/a>, and FakeSpy<\/a>. Based on our research, the new type of malware discovered this time uses a modified infrastructure and payloads. We believe that there could be several groups in the cyber criminals and each group is developing their attack infrastructures and malware separately. Or it could be the work of another group who took advantage of previously successful cyber-attacks.<\/p>\n

McAfee Mobile Security detects this threat as Android\/SmsSpy and alerts mobile users if it is present and further protects them from any data loss. For more information about McAfee Mobile Security, visit https:\/\/www.mcafeemobilesecurity.com<\/a>.<\/p>\n

Appendix \u2013 IoC<\/h2>\n

C2 Servers:<\/h3>\n
    \n
  • 168[.]126[.]149[.]28:7777<\/li>\n
  • 165[.]3[.]93[.]6:7777<\/li>\n
  • 103[.]85[.]25[.]165:7777<\/li>\n<\/ul>\n

    Update Links:<\/h3>\n
      \n
    • r10zhzzfvj[.]feishu.cn\/docs\/doccnKS75QdvobjDJ3Mh9RlXtMe<\/li>\n
    • 0204[.]info<\/li>\n
    • 0130one[.]info<\/li>\n
    • 210302[.]top<\/li>\n
    • 210302bei[.]top<\/li>\n<\/ul>\n

      Phishing Domains:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      Domain<\/td>\nRegistration Date<\/td>\n<\/tr>\n
      post.jpostp.com<\/td>\n2021-03-15<\/td>\n<\/tr>\n
      manag.top<\/td>\n2021-03-11<\/td>\n<\/tr>\n
      post.niceng.top<\/td>\n2021-03-08<\/td>\n<\/tr>\n
      post.hygvv.com<\/td>\n2021-03-04<\/td>\n<\/tr>\n
      post.cepod.xyz<\/td>\n2021-03-04<\/td>\n<\/tr>\n
      post.jposc.com<\/td>\n2021-02-08<\/td>\n<\/tr>\n
      post.ckerr.site<\/td>\n2021-02-06<\/td>\n<\/tr>\n
      post.vioiff.com<\/td>\n2021-02-05<\/td>\n<\/tr>\n
      post.cioaq.com<\/td>\n2021-02-04<\/td>\n<\/tr>\n
      post.tpliv.com<\/td>\n2021-02-03<\/td>\n<\/tr>\n
      posk.vkiiu.com<\/td>\n2021-02-01<\/td>\n<\/tr>\n
      sagawae.kijjh.com<\/td>\n2021-02-01<\/td>\n<\/tr>\n
      post.viofrr.com<\/td>\n2021-01-31<\/td>\n<\/tr>\n
      posk.ficds.com<\/td>\n2021-01-30<\/td>\n<\/tr>\n
      sagawae.ceklf.com<\/td>\n2021-01-30<\/td>\n<\/tr>\n
      post.giioor.com<\/td>\n2021-01-30<\/td>\n<\/tr>\n
      post.rdkke.com<\/td>\n2021-01-29<\/td>\n<\/tr>\n
      post.japqn.com<\/td>\n2021-01-29<\/td>\n<\/tr>\n
      post.thocv.com<\/td>\n2021-01-28<\/td>\n<\/tr>\n
      post.xkdee.com<\/td>\n2021-01-27<\/td>\n<\/tr>\n
      post.sagvwa.com<\/td>\n2021-01-25<\/td>\n<\/tr>\n
      post.aiuebc.com<\/td>\n2021-01-24<\/td>\n<\/tr>\n
      post.postkp.com<\/td>\n2021-01-23<\/td>\n<\/tr>\n
      post.solomsn.com<\/td>\n2021-01-22<\/td>\n<\/tr>\n
      post.civrr.com<\/td>\n2021-01-21<\/td>\n<\/tr>\n
      post.jappnve.com<\/td>\n2021-01-19<\/td>\n<\/tr>\n
      sp.vvsscv.com<\/td>\n2021-01-16<\/td>\n<\/tr>\n
      ps.vjiir.com<\/td>\n2021-01-15<\/td>\n<\/tr>\n
      post.jpaeo.com<\/td>\n2021-01-12<\/td>\n<\/tr>\n
      t.aeomt.com<\/td>\n2021-01-2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

       <\/p>\n

      Sample Hash information:<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      Hash<\/td>\nPackage name<\/td>\nFake Application<\/td>\n<\/tr>\n
      EA30098FF2DD1D097093CE705D1E4324C8DF385E7B227C1A771882CABEE18362<\/td>\ncom.gmr.keep<\/td>\nChrome<\/td>\n<\/tr>\n
      29FCD54D592A67621C558A115705AD81DAFBD7B022631F25C3BAAE954DB4464B<\/td>\ncom.gmr.keep<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      9BEAD1455BFA9AC0E2F9ECD7EDEBFDC82A4004FCED0D338E38F094C3CE39BCBA<\/td>\ncom.mr.keep<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      D33AB5EC095ED76EE984D065977893FDBCC12E9D9262FA0E5BC868BAD73ED060<\/td>\ncom.mrc.keep<\/td>\nChrome<\/td>\n<\/tr>\n
      8F8C29CC4AED04CA6AB21C3C44CCA190A6023CE3273EDB566E915FE703F9E18E<\/td>\ncom.hhz.keeping<\/td>\nChrome<\/td>\n<\/tr>\n
      21B958E800DB511D2A0997C4C94E6F0113FC4A8C383C73617ABCF1F76B81E2FD<\/td>\ncom.hhz.keeping<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      7728EF0D45A337427578AAB4C205386CE8EE5A604141669652169BA2FBA23B30<\/td>\ncom.hz.keep3<\/td>\nChrome<\/td>\n<\/tr>\n
      056A2341C0051ACBF4315EC5A6EEDD1E4EAB90039A6C336CC7E8646C9873B91A<\/td>\ncom.hz.keep3<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      054FA5F5AD43B6D6966CDBF4F2547EDC364DDD3D062CD029242554240A139FDB<\/td>\ncom.hz.keep2<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      DD40BC920484A9AD1EEBE52FB7CD09148AA6C1E7DBC3EB55F278763BAF308B5C<\/td>\ncom.hz.keep2<\/td>\nChrome<\/td>\n<\/tr>\n
      FC0AAE153726B7E0A401BD07C91B949E8480BAA0E0CD607439ED01ABA1F4EC1A<\/td>\ncom.hz.keep1<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      711D7FA96DFFBAEECEF12E75CE671C86103B536004997572ECC71C1AEB73DEF6<\/td>\ncom.hz.keep1<\/td>\nChrome<\/td>\n<\/tr>\n
      FE916D1B94F89EC308A2D58B50C304F7E242D3A3BCD2D7CCC704F300F218295F<\/td>\ncom.hz.keep1<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      3AA764651236DFBBADB28516E1DCB5011B1D51992CB248A9BF9487B72B920D4C<\/td>\ncom.hz.keep1<\/td>\nChrome<\/td>\n<\/tr>\n
      F1456B50A236E8E42CA99A41C1C87C8ED4CC27EB79374FF530BAE91565970995<\/td>\ncom.hz.keep<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      77390D07D16E6C9D179C806C83D2C196A992A9A619A773C4D49E1F1557824E00<\/td>\ncom.hz.keep<\/td>\nChrome<\/td>\n<\/tr>\n
      49634208F5FB8BCFC541DA923EBC73D7670C74C525A93B147E28D535F4A07BF8<\/td>\ncom.hz.keep<\/td>\nChrome<\/td>\n<\/tr>\n
      B5C45054109152F9FE76BEE6CBBF4D8931AE79079E7246AA2141F37A6A81CBA3<\/td>\ncom.hz.keep<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      85E5DBEA695A28C3BA99DA628116157D53564EF9CE14F57477B5E3095EED5726<\/td>\ncom.hz.keep<\/td>\nChrome<\/td>\n<\/tr>\n
      53A5DD64A639BF42E174E348FEA4517282C384DD6F840EE7DC8F655B4601D245<\/td>\ncom.hz.keep<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      80B44D23B70BA3D0333E904B7DDDF7E19007EFEB98E3B158BBC33CDA6E55B7CB<\/td>\ncom.hz.keep<\/td>\nChrome<\/td>\n<\/tr>\n
      797CEDF6E0C5BC1C02B4F03E109449B320830F5ECE0AA6D194AD69E0FE6F3E96<\/td>\ncom.hz.keep<\/td>\nChrome<\/td>\n<\/tr>\n
      691687CB16A64760227DCF6AECFE0477D5D983B638AFF2718F7E3A927EE2A82C<\/td>\ncom.hz.keep<\/td>\nGoogle Play<\/td>\n<\/tr>\n
      C88C3682337F7380F59DBEE5A0ED3FA7D5779DFEA04903AAB835C959DA3DCD47<\/td>\ncom.hz.keep<\/td>\nGoogle Play<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

       <\/p>\n","protected":false},"excerpt":{"rendered":"

      The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian…<\/p>\n","protected":false},"author":827,"featured_media":121141,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4662,2842],"class_list":["post-121525","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nRoaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware | McAfee Blog<\/title>\n<meta name=\"description\" content=\"The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users since\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users since\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-05T18:17:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-26T05:52:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"200\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ZePeng Chen, Yukihiro Okutomi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ZePeng Chen, Yukihiro Okutomi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/\"},\"author\":{\"name\":\"ZePeng Chen\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/6fb75b3dd9ea3d7dedda48880fd147f5\"},\"headline\":\"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware\",\"datePublished\":\"2021-05-05T18:17:02+00:00\",\"dateModified\":\"2024-06-26T05:52:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/\"},\"wordCount\":1385,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/\",\"name\":\"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg\",\"datePublished\":\"2021-05-05T18:17:02+00:00\",\"dateModified\":\"2024-06-26T05:52:57+00:00\",\"description\":\"The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users since\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg\",\"width\":200,\"height\":200,\"caption\":\"Quel antivirus choisir ?\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/6fb75b3dd9ea3d7dedda48880fd147f5\",\"name\":\"ZePeng Chen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/3e265358d4380d543654e7189dfa995d\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e23a4d49ff1d3565d31a01e3a8ccf0be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e23a4d49ff1d3565d31a01e3a8ccf0be?s=96&d=mm&r=g\",\"caption\":\"ZePeng Chen\"},\"description\":\"Peng is a security researcher and a member of the McAfee Mobile Research and Operations team. He is based in Shenzhen, China, and specializes in mobile malware analysis, reverse engineering, and detections.\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/jason-chen\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware | McAfee Blog","description":"The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users since","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware | McAfee Blog","og_description":"The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users since","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2021-05-05T18:17:02+00:00","article_modified_time":"2024-06-26T05:52:57+00:00","og_image":[{"width":200,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg","type":"image\/jpeg"}],"author":"ZePeng Chen, Yukihiro Okutomi","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"ZePeng Chen, Yukihiro Okutomi","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/"},"author":{"name":"ZePeng Chen","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/6fb75b3dd9ea3d7dedda48880fd147f5"},"headline":"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware","datePublished":"2021-05-05T18:17:02+00:00","dateModified":"2024-06-26T05:52:57+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/"},"wordCount":1385,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/","name":"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg","datePublished":"2021-05-05T18:17:02+00:00","dateModified":"2024-06-26T05:52:57+00:00","description":"The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users since","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/AdobeStock_391304916_200x200.jpg","width":200,"height":200,"caption":"Quel antivirus choisir ?"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/6fb75b3dd9ea3d7dedda48880fd147f5","name":"ZePeng Chen","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/3e265358d4380d543654e7189dfa995d","url":"https:\/\/secure.gravatar.com\/avatar\/e23a4d49ff1d3565d31a01e3a8ccf0be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e23a4d49ff1d3565d31a01e3a8ccf0be?s=96&d=mm&r=g","caption":"ZePeng Chen"},"description":"Peng is a security researcher and a member of the McAfee Mobile Research and Operations team. He is based in Shenzhen, China, and specializes in mobile malware analysis, reverse engineering, and detections.","url":"https:\/\/www.mcafee.com\/blogs\/author\/jason-chen\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/121525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/827"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=121525"}],"version-history":[{"count":4,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/121525\/revisions"}],"predecessor-version":[{"id":195310,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/121525\/revisions\/195310"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/121141"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=121525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=121525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=121525"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=121525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}