Dubbed Roaming Mantis, the initial attacks mostly targeted South East Asia, but now the malware has been updated with the capability to specifically target users across Europe and the Middle East.
Those behind the criminal operation have even expanded attacks to cater for 27 different languages -- including English, Spanish, Hebrew, Chinese, Russian and Hindi -- in order to help coordinate successful infections. The additional languages have been added via an automatic translator.
Roaming Mantis attacks spread via DNS hijacking, with users who attempt to access any website via a compromised router redirected to rogue sites. The language of the rogue landing page is set to correspond with the language settings of the device, choosing one of the 27 available -- up from the original five.
On this page, a pop-up urges the user to download a file -- named 'facebook.apk' or 'chrome.apk' -- which distributes the malicious payload. These malicious apk files have also been expanded to support 27 languages, although researchers note that comments are still left in Simplified Chinese.
Roaming Mantis previously only targeted Android devices, but now it has been changed to also target iPhones, with users accessing the web via a compromised DNS redirected to a phishing site after being told that they need to login to the app store again.
The page mimics the Apple website, claiming to be 'security.app.com' and asks for user ID, password, card number, card expiration date and CVV of victims. The HTML source of the phishing site also supports 25 languages, with just Bengali and Georgian missing from the full list.
In addition to stealing sensitive information from Android and Apple mobile devices, researchers uncovered that the HTML source code of the Roaming Mantis landing page also contains a special script to be executed in the browser with the purpose of mining cryptocurrency.
With the addition of these new features and regular updates to the malware combined with the rapid expansion of the campaign, it's likely that "those behind it have a strong financial motivation and are probably well-funded," said Ishimaru.
In the last few months, attacks have spread around the world, with the highest number of infected users in Russia, Ukraine and India. Roaming Mantis also also successfully compromised targets across Europe and even the United States.
While only 150 successful attacks have been identified in the wild, Kaspersky Lab warns that it could only represent a "tiny fraction of the overall picture" because DNS hijacking can make it difficult to identify detections.