Advanced Trojan steals banking data and mines cryptocurrencies on iOS devices

“Kaspersky lab” reported on the flurry of activity in mobile banking Trojan Mantis Roaming on iOS devices. Initially, the malware infected Android smartphones, and now the Trojan attacks and Apple gadgets.

According to “Kaspersky Lab” for 2018, Russia is in top three of the attacked countries.

Recently it became known that Roaming Mantis steals user credentials iOS devices through phishing.

The Trojan works as follows:

Initially, Roaming Mantis changes the DNS addresses of the gadget. The potential victim opens the website from iOS device, then there is a redirect to a fake login page. After entering data such as user ID, password, credit card number, its expiration date and CVV code, the information is sent to cyber criminals.

In addition, Roaming Mantis uses iPhone and iPad for web mining using cryptocurrency service CoinHive.


“The main motive of the attackers – quick profits. For example, the propagation of the Trojan they in turn used a phishing site and web mining depending on which method will bring more money in each case,” say the researchers from the “Kaspersky Lab”.

Over the past six months, the Trojan has expanded its methods of attack and evasion detection. After DNS spoofing, the device goes to the IP address of scams, which installed a malicious application sagawa.apk or chrome.apk. In addition to mobile devices, the Trojan also attacks Mantis Roaming routers.

“In our first report we warned that Roaming Mantis clearly intended to attack the growing number of users. True to its name, it is spreading rapidly from April, changing the methods depending on the location. The malware infects Android devices, is engaged in phishing and even trying to use iOS-gadgets to kriptomayning. In addition to the four Asian languages, Roaming Mantis now uses 27, distributed in Europe and the middle East,” said Suguru Ishimaru, anti-virus expert “Kaspersky Lab”.

To protect against malware, “Kaspersky Lab” recommends:

  • change the username and password of an administrator device;
  • use reliable solutions for cybersecurity on all devices;
  • to prevent installation of apps from “unknown sources”.
Clifton Nichols

Clifton Nichols

Hi! I’m Clifton and I am a full-stack engineer with a passion for building performant and scalable applications that are beautiful and easy to use.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *