Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

New Wroba Campaign Is Latest Sign of Growing Mobile Threats

After years of mostly targeting users in Japan, Korea, and other countries in the region, operators of the Trojan expanded their campaign to the US this week.

A new malware campaign targeting smartphone users in the US is the latest sign that mobile devices are becoming the next big target for cyberattackers.

Kaspersky this week said its threat-monitoring systems had detected malware known as the Wroba Trojan, which targets Android and iOS device owners in the US with a fake package-delivery notification.

Related Content:

Mobile Phishing Attacks Increase Sharply

2020 State of Cybersecurity Operations and Incident Response

The Changing Face of Threat Intelligence

Android device users who click on a link in the notification are taken to a malicious site with an alert that warns users about their mobile browser being out of date and needing to be updated. Users tricked into clicking "OK" to download the purported browser update end up installing the malware on their device instead.

The download does not work on iPhones. Users of iPhones who fall for the fake package-delivery notification are currently only sent to a blank page. However, the researchers say in earlier campaigns, victims have been sent to a phishing page designed to look like Apple's login page, which attempts to steal their Apple ID credentials.

Once Wroba is installed on a device, it can carry out a variety of malicious activities, according to Kaspersky. This includes sending fake SMS messages, checking installed packages, accessing financial transaction data, stealing the user's contact list, and serving up phishing pages for stealing credentials, including those associated with bank accounts.

Kaspersky malware analyst Alexander Eremin says the origins of the phone numbers being targeted in the latest campaign are unclear. He surmises they could either be targeted at random or are, for example, numbers stolen from some e-commerce service that performs package deliveries.

In some aspects, Wroba is not unlike other mobile malware — like its distribution via SMS. "But it utilizes some unusual techniques to hide its communication with its command-and-control [C2] server, like using MessagePack format and DES encryption to send the data."

Wroba also has the ability to update its list of C2 servers with the help of information in social media accounts. The C2 information, for example, might be stored in encrypted form in the "Bio" or similar field in a social media account, Eremin says.

Wroba is not new malware. Malwarebytes first reported on Wroba — then masquerading as a legitimate Google Play store app — back in 2013. But up to now, Wroba, aka FunkyBot, mainly has targeted users in Korea, Japan, and other countries in the Asia-Pacific region. The campaign launched this week marks the first time the operator of the malware has targeted US mobile devices owners, according to Kaspersky.

In a report earlier this year, and in at least two more in 2018, Kaspersky has described Wroba as being part of a broader mobile malware campaign called "Roaming Mantis." Earlier versions of the malware were distributed via DNS hijacking. The operators of the malware basically hijacked DNS settings on home routers and redirected users of those routers to malicious sites.

Since at least 2018, versions of Wroba have also been distributed via malicious SMS messages (aka smishing) using spoofed package-delivery notices. According to Kaspersky, the operators of Wroba have customized the spoofed notices, so the messages appear to come from trusted domestic package delivery services in each targeted country. Other vendors, such as Fortinet have also been tracking the threat for some time now.

Growing Problem
The latest Wroba campaign is another sign of the growing threat that mobile users and organizations face from malware, adware, and other unwanted software on smartphones and other mobile devices. Thirty-nine percent of more than 875 mobile security professionals surveyed for the 2020 edition of Verizon's Mobile Security Index said their organizations had experienced a security compromise involving a mobile device in the past year. Two years ago, only 27% reported such a breach. Two-thirds of those who experienced a mobile-related breach described the impact as major.

Malware is not the only issue. Adware — designed to serve up unwanted ads on mobile devices — is another big problem. In first half of this year, adware accounted for more than 35% of all malicious files that mobile users encountered on their devices, according to Kaspersky.

Phishing is a growing problem as well. According to Lookout's 2020 "Mobile Phishing Spotlight Report" enterprise mobile phishing encounters jumped 37% globally between the fourth quarter of 2019 and first quarter of 2020. In North America, the number was much higher, at 66.3%.

"Threat actors are building more-advanced phishing campaigns beyond just credential harvesting," says Hank Schless, senior manager of security solutions at Lookout.

Through the first nine months of 2020, almost 80% of phishing attempts were designed to get users to install malicious apps on their mobile devices, he says.

"Threat actors have learned how to socially engineer at scale by creating fake influencer profiles with massive followings that encourage followers to download malicious apps," Schless says. "Personal apps on devices that can access corporate resources pose serious risk to enterprise security posture."

Story was updated Nov. 3, 2020, to correct how iPhone users exprience this scam. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.