Nasty malware attacks iPhones and Android — what to do now

Nasty malware attacks iPhones and Android — what to do now
(Image credit: Tom's Guide)

A notorious piece of mobile malware that has ravaged Asia for several years is now setting its sights on the United States, targeting both iOS and Android devices according to Kaspersky.

Wroba, aka Roaming Mantis, was first found by Malwarebytes researchers in 2013 attacking South Korean phones, and it's since moved on to the rest of Asia and made inroads in Europe. 

At base, it's a banking Trojan that infects Android phones and tries to steal files, passwords, contact lists and messages, open web pages, make calls and send SMS text messages. But it's now attacking iPhones too.

In the current campaign, noticed in the U.S. by Kaspersky researchers last week, infected devices send "smishing" — SMS phishing — texts to the users' contacts. 

The messages notify the next generation of potential victims that "your parcel has been sent out" and that they need to click on the embedded link to learn where to pick up said parcels. It's a tried-and-true phishing technique that we've recently seen used in other campaigns.

If you're on an Android phone, the link takes you to a page where you're invited to "update" your Chrome browser — and the update is actually the malware. If you're on an iPhone, you don't get malware, but you're taken to what looks like an Apple login page, where you're supposed to enter your Apple username and password. Don't.

"Wroba ... can sit silently in the background and deliver credential harvesting pages to your browser at will," Lookout researcher Hank Schless told Threatpost. "As long as it goes unnoticed, it can attempt to grab your login data for even your most private accounts."

The baddies behind this are believed to be a Chinese criminal gang. Over the year, the malware has used many techniques to attack mobile devices, including redirecting weblinks through DNS hijacking, hacking home Wi-Fi routers, using fake postal-service apps and even installing cryptocurrency-mining software.

How to avoid this malware campaign

To avoid becoming a victim, the first rule is to ignore SMS messages that come from random senders you don't know. 

If the message seems to be meant for someone else but tells you a very valuable device — say, a brand-new iPhone — is waiting for you to come pick it up, don't let your desire for free goodies overwhelm your common sense.

Second, don't log into websites that pop up when you least expect them. There's no reason the Apple login page should appear when you're just trying to find out where to pick up a package.

Third, don't download apps from dodgy sources. If you're on Android, stick to the official Google Play Store and disable installation of software from "unknown sources." If you're on iOS, you're limited to the App Store unless you jailbreak your phone, in which case you should stick to Cydia.

Last, Android users need to install and use one of the best Android antivirus apps. Some of them are free, and most will protect your phone better than the built-in Google Play Protect

If you're on an iPhone, you'll see apps from well-known antivirus companies that purport to be security solutions, but read the fine print: Apple doesn't let antivirus apps into the App Store.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.