Priya PatelTLDR: A new variant of the MoqHao Android malware has been discovered by researchers at McAfee. Unlike previous versions, this variant does not require user interaction to install and launch the app. The malware is distributed through phishing SMS messages containing malicious links, which when clicked, triggers the automatic download of the malicious app. The new variant also uses social engineering techniques to set itself as the default SMS app. The malware has expanded its targets to include countries such as South Korea, France, Germany, and India. It connects to a command and control (C2) server through WebSocket and has several commands for various purposes. McAfee provides detailed information about the malware, including indicators of compromise.
Key Points:
- A new variant of the MoqHao Android malware has been discovered.
- The malware does not require user interaction to install and launch.
- It is distributed through phishing SMS messages containing malicious links.
- The malware expands its targets to include countries like South Korea, France, Germany, and India.
- It connects to a C2 server through WebSocket and has several commands for various purposes.
- McAfee provides detailed information and indicators of compromise for the malware.
The Roaming Mantis threat group has distributed a new variant of the MoqHao Android malware. Unlike previous variants, this variant does not require user interaction to install and launch the app. The malware is distributed through phishing SMS messages that contain a malicious shortened link. Once the user clicks on the link, the device automatically downloads the malicious application. This new variant of the malware has various behaviors that differ from previous versions. It automatically launches after installation without any user interaction. The malware also uses social engineering techniques to set itself as the default SMS app.
Additionally, the new variant of MoqHao has expanded its targets to include countries such as South Korea, France, Germany, and India. The malware connects to a command and control (C2) server through WebSocket and has been added with several commands for checking SIM state, sending SMS messages, setting sound/vibrate/silent mode, and more.
McAfee has provided comprehensive information about the malware, including details on its source code, deployment techniques, affected targets, and other important insights. It also offers indicators of compromise, such as SHA256 hashes of the malicious applications.
