New Wroba Campaign Is Latest Sign of Growing Mobile Threats

After years of mostly targeting users in Japan, Korea, and other countries in the region, operators of the Trojan expanded their campaign to the US this week.

5 Min Read
Dark Reading logo in a gray background | Dark Reading

A new malware campaign targeting smartphone users in the US is the latest sign that mobile devices are becoming the next big target for cyberattackers.

Kaspersky this week said its threat-monitoring systems had detected malware known as the Wroba Trojan, which targets Android and iOS device owners in the US with a fake package-delivery notification.

Android device users who click on a link in the notification are taken to a malicious site with an alert that warns users about their mobile browser being out of date and needing to be updated. Users tricked into clicking "OK" to download the purported browser update end up installing the malware on their device instead.

The download does not work on iPhones. Users of iPhones who fall for the fake package-delivery notification are currently only sent to a blank page. However, the researchers say in earlier campaigns, victims have been sent to a phishing page designed to look like Apple's login page, which attempts to steal their Apple ID credentials.

Once Wroba is installed on a device, it can carry out a variety of malicious activities, according to Kaspersky. This includes sending fake SMS messages, checking installed packages, accessing financial transaction data, stealing the user's contact list, and serving up phishing pages for stealing credentials, including those associated with bank accounts.

Kaspersky malware analyst Alexander Eremin says the origins of the phone numbers being targeted in the latest campaign are unclear. He surmises they could either be targeted at random or are, for example, numbers stolen from some e-commerce service that performs package deliveries.

In some aspects, Wroba is not unlike other mobile malware — like its distribution via SMS. "But it utilizes some unusual techniques to hide its communication with its command-and-control [C2] server, like using MessagePack format and DES encryption to send the data."

Wroba also has the ability to update its list of C2 servers with the help of information in social media accounts. The C2 information, for example, might be stored in encrypted form in the "Bio" or similar field in a social media account, Eremin says.

Wroba is not new malware. Malwarebytes first reported on Wroba — then masquerading as a legitimate Google Play store app — back in 2013. But up to now, Wroba, aka FunkyBot, mainly has targeted users in Korea, Japan, and other countries in the Asia-Pacific region. The campaign launched this week marks the first time the operator of the malware has targeted US mobile devices owners, according to Kaspersky.

In a report earlier this year, and in at least two more in 2018, Kaspersky has described Wroba as being part of a broader mobile malware campaign called "Roaming Mantis." Earlier versions of the malware were distributed via DNS hijacking. The operators of the malware basically hijacked DNS settings on home routers and redirected users of those routers to malicious sites.

Since at least 2018, versions of Wroba have also been distributed via malicious SMS messages (aka smishing) using spoofed package-delivery notices. According to Kaspersky, the operators of Wroba have customized the spoofed notices, so the messages appear to come from trusted domestic package delivery services in each targeted country. Other vendors, such as Fortinet have also been tracking the threat for some time now.

Growing Problem
The latest Wroba campaign is another sign of the growing threat that mobile users and organizations face from malware, adware, and other unwanted software on smartphones and other mobile devices. Thirty-nine percent of more than 875 mobile security professionals surveyed for the 2020 edition of Verizon's Mobile Security Index said their organizations had experienced a security compromise involving a mobile device in the past year. Two years ago, only 27% reported such a breach. Two-thirds of those who experienced a mobile-related breach described the impact as major.

Malware is not the only issue. Adware — designed to serve up unwanted ads on mobile devices — is another big problem. In first half of this year, adware accounted for more than 35% of all malicious files that mobile users encountered on their devices, according to Kaspersky.

Phishing is a growing problem as well. According to Lookout's 2020 "Mobile Phishing Spotlight Report" enterprise mobile phishing encounters jumped 37% globally between the fourth quarter of 2019 and first quarter of 2020. In North America, the number was much higher, at 66.3%.

"Threat actors are building more-advanced phishing campaigns beyond just credential harvesting," says Hank Schless, senior manager of security solutions at Lookout.

Through the first nine months of 2020, almost 80% of phishing attempts were designed to get users to install malicious apps on their mobile devices, he says.

"Threat actors have learned how to socially engineer at scale by creating fake influencer profiles with massive followings that encourage followers to download malicious apps," Schless says. "Personal apps on devices that can access corporate resources pose serious risk to enterprise security posture."

Story was updated Nov. 3, 2020, to correct how iPhone users exprience this scam. 

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights