How Roaming Mantis Malware Hijacks DNS to Infect Android, iOS, and PCs

What Is DNS Hijacking?

DNS hijacking tricks a browser by altering the DNS response so that the domain name resolves to an attacker‑controlled IP address, while the URL bar still shows the legitimate domain, making the redirection invisible to users.

Roaming Mantis on Android

When a device connects to a compromised router, the malware redirects any request to a malicious site that prompts the user to update their browser. The update is a fake chrome.apk (or facebook.apk) that requests extensive permissions such as account access, SMS, calls, audio recording, and file access. After installation, the malware harvests Google account information, displays a fake login prompt, and collects personal data like name and birthdate.

Roaming Mantis on iOS

For iOS devices the malware skips the APK download and instead serves a phishing page that mimics an App Store login. The page uses a trusted‑looking URL (e.g., security.apple.com) to convince users to re‑enter their Apple ID credentials and even their bank card numbers.

PC Coin Mining

On Windows PCs the malware runs a CoinHive script that mines cryptocurrency directly to the attacker’s wallet, consuming CPU cycles, causing system slowdown, and increasing power consumption.

How to Prevent Infection

Install security software on computers, laptops, smartphones, and tablets.

Keep all operating system and application software up to date.

On Android, disable installation from unknown sources (Settings → Security → Unknown sources).

Regularly update router firmware and avoid unofficial firmware from untrusted sites.