Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/30/2020
04:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Wroba Campaign Is Latest Sign of Growing Mobile Threats

After years of mostly targeting users in Japan, Korea, and other countries in the region, operators of the Trojan expanded their campaign to the US this week.

A new malware campaign targeting smartphone users in the US is the latest sign that mobile devices are becoming the next big target for cyberattackers.

Kaspersky this week said its threat-monitoring systems had detected malware known as the Wroba Trojan, which targets Android and iOS device owners in the US with a fake package-delivery notification.

Related Content:

Mobile Phishing Attacks Increase Sharply

2020 State of Cybersecurity Operations and Incident Response

The Changing Face of Threat Intelligence

Android device users who click on a link in the notification are taken to a malicious site with an alert that warns users about their mobile browser being out of date and needing to be updated. Users tricked into clicking "OK" to download the purported browser update end up installing the malware on their device instead.

The download does not work on iPhones. Users of iPhones who fall for the fake package-delivery notification are currently only sent to a blank page. However, the researchers say in earlier campaigns, victims have been sent to a phishing page designed to look like Apple's login page, which attempts to steal their Apple ID credentials.

Once Wroba is installed on a device, it can carry out a variety of malicious activities, according to Kaspersky. This includes sending fake SMS messages, checking installed packages, accessing financial transaction data, stealing the user's contact list, and serving up phishing pages for stealing credentials, including those associated with bank accounts.

Kaspersky malware analyst Alexander Eremin says the origins of the phone numbers being targeted in the latest campaign are unclear. He surmises they could either be targeted at random or are, for example, numbers stolen from some e-commerce service that performs package deliveries.

In some aspects, Wroba is not unlike other mobile malware — like its distribution via SMS. "But it utilizes some unusual techniques to hide its communication with its command-and-control [C2] server, like using MessagePack format and DES encryption to send the data."

Wroba also has the ability to update its list of C2 servers with the help of information in social media accounts. The C2 information, for example, might be stored in encrypted form in the "Bio" or similar field in a social media account, Eremin says.

Wroba is not new malware. Malwarebytes first reported on Wroba — then masquerading as a legitimate Google Play store app — back in 2013. But up to now, Wroba, aka FunkyBot, mainly has targeted users in Korea, Japan, and other countries in the Asia-Pacific region. The campaign launched this week marks the first time the operator of the malware has targeted US mobile devices owners, according to Kaspersky.

In a report earlier this year, and in at least two more in 2018, Kaspersky has described Wroba as being part of a broader mobile malware campaign called "Roaming Mantis." Earlier versions of the malware were distributed via DNS hijacking. The operators of the malware basically hijacked DNS settings on home routers and redirected users of those routers to malicious sites.

Since at least 2018, versions of Wroba have also been distributed via malicious SMS messages (aka smishing) using spoofed package-delivery notices. According to Kaspersky, the operators of Wroba have customized the spoofed notices, so the messages appear to come from trusted domestic package delivery services in each targeted country. Other vendors, such as Fortinet have also been tracking the threat for some time now.

Growing Problem
The latest Wroba campaign is another sign of the growing threat that mobile users and organizations face from malware, adware, and other unwanted software on smartphones and other mobile devices. Thirty-nine percent of more than 875 mobile security professionals surveyed for the 2020 edition of Verizon's Mobile Security Index said their organizations had experienced a security compromise involving a mobile device in the past year. Two years ago, only 27% reported such a breach. Two-thirds of those who experienced a mobile-related breach described the impact as major.

Malware is not the only issue. Adware — designed to serve up unwanted ads on mobile devices — is another big problem. In first half of this year, adware accounted for more than 35% of all malicious files that mobile users encountered on their devices, according to Kaspersky.

Phishing is a growing problem as well. According to Lookout's 2020 "Mobile Phishing Spotlight Report" enterprise mobile phishing encounters jumped 37% globally between the fourth quarter of 2019 and first quarter of 2020. In North America, the number was much higher, at 66.3%.

"Threat actors are building more-advanced phishing campaigns beyond just credential harvesting," says Hank Schless, senior manager of security solutions at Lookout.

Through the first nine months of 2020, almost 80% of phishing attempts were designed to get users to install malicious apps on their mobile devices, he says.

"Threat actors have learned how to socially engineer at scale by creating fake influencer profiles with massive followings that encourage followers to download malicious apps," Schless says. "Personal apps on devices that can access corporate resources pose serious risk to enterprise security posture."

Story was updated Nov. 3, 2020, to correct how iPhone users exprience this scam. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29144
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
CVE-2020-29145
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
CVE-2020-29136
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
CVE-2020-29137
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
CVE-2020-29135
PUBLISHED: 2020-11-27
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).