MoqHao¶
MoqHao (also tracked as Roaming Mantis, XLoader, Wroba) is a long-running Android banking trojan and spyware distributed primarily through SMS phishing (smishing). Active since at least 2015, it targets users across Japan, South Korea, Taiwan, and increasingly Europe and North America. The operation is attributed to the Yanbian Gang, a Chinese-speaking financially motivated threat actor operating from the Yanbian Prefecture in Jilin, China. The family is notable for its continuous technical evolution, cycling through DNS hijacking, smishing, Google Play distribution, social media dead drop C2 resolution, WiFi router compromise, and most recently auto-execution without user interaction.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2015 (Deutsche Telekom), 2017-2018 (Kaspersky public tracking) |
| Last Seen | Active (ongoing campaigns) |
| Status | Active, continuously evolving |
| Type | Banking trojan, spyware, smishing distributor, DNS hijacker |
| Attribution | Roaming Mantis / Yanbian Gang (China-nexus, financially motivated) |
| Aliases | XLoader, Wroba, Wroba.o, Wroba.g, Shaoye, FakeChromeUpdate |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | HEUR:Trojan-Banker.AndroidOS.Wroba |
| McAfee | Android/MoqHao |
| ESET | Android/TrojanDropper.Agent (some variants) |
| ThreatFabric | MoqHao |
| Trend Micro | AndroidOS_Wroba, XLoader |
| Fortinet | Android/Agent.FKP!tr |
| Symantec | Android.Reputation.2 |
| Deutsche Telekom | MoqHao / Shaoye |
Naming History¶
The naming fragmentation across vendors reflects the family's long history and parallel discovery by multiple research teams. Kaspersky named the campaign "Roaming Mantis" in their April 2018 blog post focusing on the DNS hijacking delivery mechanism, while McAfee tracked the Android payload itself as "MoqHao." Trend Micro uses "XLoader" for the same family, which causes confusion with the unrelated Windows/macOS malware of the same name. Kaspersky's detection name "Wroba" (with subvariants .o, .g, .j) covers both MoqHao and related payloads in the Roaming Mantis ecosystem. Deutsche Telekom identified the operators as the Yanbian Gang, linking MoqHao to a broader criminal operation active since 2013.
Origin and Lineage¶
MoqHao is an independently developed family with no known code lineage to other banking trojan families. Deutsche Telekom traces MoqHao's origins to 2015, attributing it to the Yanbian Gang, a threat actor that has operated from the Yanbian Korean Autonomous Prefecture in Jilin, China since at least 2013. Trend Micro published a detailed analysis in 2018 examining the connections between XLoader, FakeSpy, and the Yanbian Gang, establishing the overlap in infrastructure and tooling.
Kaspersky first publicly documented the campaign in April 2018 as "Roaming Mantis," observing compromised home routers in Japan, South Korea, and Bangladesh redirecting DNS queries to serve malicious APKs. Kaspersky subsequently published a five-part series tracking the campaign's evolution:
| Part | Date | Focus | Link |
|---|---|---|---|
| I | April 2018 | DNS hijacking of home routers to distribute Android malware | SecureList |
| II | May 2018 | Expansion to 27 languages, iOS phishing, cryptocurrency mining | SecureList |
| III | October 2018 | iOS crypto mining, malicious content delivery system | SecureList |
| IV | April 2019 | Updated distribution, new evasion techniques | SecureList |
| V | January 2021 | Allowlisting, FakeCop/SpyAgent, COVID-19 lures | SecureList |
The family is cross-platform in scope: Android devices receive the MoqHao APK payload, iOS users are redirected to Apple ID phishing pages, and desktop users may be served cryptocurrency mining scripts.
Distribution¶
MoqHao has used multiple distribution vectors across its lifetime, evolving from router-based DNS hijacking to pure smishing and occasionally Google Play.
DNS Hijacking (2017-2018, revived 2022)¶
The original distribution method compromised home routers to redirect DNS queries. When users connected to a compromised router and attempted to browse, they were redirected to a landing page that prompted them to install a fake Chrome update APK.
In September 2022, Kaspersky documented a new DNS changer function built directly into the MoqHao APK. Rather than relying on externally compromised routers, the malware itself compromises WiFi routers that the infected device connects to:
- The malware obtains the default gateway IP from the connected WiFi network
- It attempts to access the router's admin interface using default credentials
- It checks the router model against 113 hard-coded model strings (primarily South Korean router manufacturers)
- If the model matches, it changes the router's DNS settings to attacker-controlled servers
- The rogue DNS server address is retrieved dynamically from a VK profile (id728588947)
This turns every infected phone into a propagation tool: when connected to WiFi at cafes, hotels, airports, or homes, it can compromise the router and redirect all connected devices to malicious landing pages. Deutsche Telekom additionally discovered that MoqHao includes a CAPTCHA bypass capability, using OCR to solve text-based CAPTCHAs on router admin interfaces during brute-force login attempts.
Smishing¶
The primary distribution vector since 2018 uses SMS phishing. The attack chain varies by region but follows a consistent pattern:
| Stage | Details |
|---|---|
| Initial SMS | Delivery notification impersonating postal services (Yamato Transport, Japan Post, Korea Post, La Poste, DHL) |
| URL shortening | Links use URL shorteners to obscure the true destination |
| Landing page | Geofenced and OS-aware: Android users get APK download, iOS users get Apple ID phishing |
| Installation | Disguised as Chrome browser update or delivery tracking app |
| Permissions | Requests accessibility service, SMS, contacts |
| Propagation | Reads victim's contacts, sends smishing SMS to spread further |
Kaspersky documented COVID-19 lure adaptation in 2020: the operators switched Japanese smishing messages from postal notifications to "delivering free masks for the coronavirus issue," demonstrating rapid adaptation to current events.
Google Play¶
In 2019, McAfee found MoqHao-related spyware on Google Play targeting Japan and Korea. The apps masqueraded as security applications under package names like com.jshop.test and com.jptest.tools2019. This marked a brief foray into official store distribution, though smishing remained the primary vector.
Distribution Evolution¶
| Year | Method |
|---|---|
| 2017-2018 | DNS hijacking via compromised routers, serving fake Chrome updates |
| 2018-present | Smishing campaigns with postal service lures |
| 2019 | Google Play distribution |
| 2021 | OS-specific payloads via smishing |
| 2022 | DNS changer built into APK payload, targeting South Korean routers |
| 2024 | Auto-execution variant runs immediately after installation |
| 2024-2025 | iCloud abuse for APK hosting, VK for C2 resolution |
Capabilities¶
| Capability | Description |
|---|---|
| SMS phishing (smishing) | Sends phishing SMS to victim's contacts for worm-like propagation |
| Banking credential theft | Overlay attacks targeting banking apps |
| SMS interception | Reads and intercepts SMS including OTPs |
| Contact exfiltration | Uploads full contact list to C2 for targeting |
| Device info collection | IMEI, SIM number, Android ID, serial number, OS version, installed apps |
| Photo theft | Accesses and exfiltrates device photos |
| WiFi router DNS hijacking | Compromises routers the infected device connects to |
| CAPTCHA bypass | OCR-based solving of text CAPTCHAs on router admin pages |
| Auto-execution (2024) | Runs immediately after installation without user launch |
| Fake Chrome overlay | Persistent Chrome update prompt concealing malicious activity |
| Call eavesdropping | Monitors and records phone calls |
| Location tracking | Tracks device GPS coordinates |
Technical Details¶
Auto-Execution Mechanism (2024)¶
The 2024 variant documented by McAfee achieves auto-execution by abusing Android's content provider initialization. When an app declares a content provider in its manifest, the Android system initializes that provider during the app installation process to verify uniqueness of the provider authority. MoqHao places its malicious initialization code in this content provider's onCreate() method, which the system calls automatically without any user interaction.
This eliminates the social engineering step of convincing users to open the app after installation. The malware begins operating in the background immediately, displaying a fake Chrome notification to prompt permission grants. McAfee reported the findings to Google, which began working on mitigations to prevent this type of auto-execution in future Android versions.
The 2024 variant also uses Unicode characters in the app label to evade detection. Instead of displaying a readable app name, the label uses zero-width and special Unicode characters that render as blank or near-invisible text in the app drawer.
C2 Infrastructure¶
MoqHao uses a layered C2 resolution strategy built on social media dead drops. Rather than hard-coding C2 server addresses into the APK, the malware stores social media profile URLs and retrieves the actual C2 address at runtime from encoded text in profile descriptions.
Dead Drop Resolution Flow¶
- The APK contains hard-coded URLs pointing to profiles on social media platforms
- The malware fetches the profile page via HTTP GET
- It extracts an encoded string from the profile's "About" or description field
- The string is decrypted (DES in CBC mode with a hard-coded key) to reveal the C2 IP address
- The malware connects to the C2 via WebSocket using JSON-RPC
Platform Evolution¶
| Period | Dead Drop Platform |
|---|---|
| Early variants | Twitter (accounts stored with \| separator) |
| 2019-2022 | Imgur profiles (shaoye77, shaoye88, shaoye99 accounts), encoded in "About" section |
| 2022-2023 | Pinterest profiles, phishing content extracted from bio/description fields |
| 2023+ | Baidu, VKontakte, iCloud |
| 2024-2025 | VK (m.vk.com) for C2 resolution, iCloud for payload hosting |
This approach lets operators rotate C2 servers by editing a social media profile, without needing to push malware updates. Takedown of any single platform profile only disrupts operations temporarily since new profiles can be created on alternative platforms.
Staging Infrastructure¶
Team Cymru identified 14 MoqHao C2 servers based on malware analysis and infrastructure pivots. The delivery chain uses disposable staging infrastructure relying on Dynamic DNS services (such as DuckDNS subdomains) for landing pages, while the actual C2 servers are hosted on dedicated infrastructure (EHOSTIDC and VELIANET autonomous systems observed by Sekoia).
C2 Commands¶
The malware communicates with C2 via WebSocket using JSON-RPC. McAfee documented 20 commands in the 2024 variant:
| Command | Function |
|---|---|
getSmsKW |
Exfiltrate all SMS messages to C2 |
sendSms |
Send SMS to specified number (smishing propagation) |
gcont |
Export entire contacts list to C2 |
getPhoneState |
Collect device identifiers (IMEI, SIM number, Android ID, serial number) |
callPhone |
Initiate phone calls |
http |
Send HTTP requests (download payloads, exfiltrate data) |
Additional commands handle photo exfiltration, call recording, location tracking, app installation, and configuration updates. The 2024 variant added new commands beyond the set present in earlier versions.
Smishing Infrastructure¶
Each infected device functions as an SMS distribution node. The C2 server provides:
- SMS message templates localized by region
- Target phone number lists (harvested from previously infected devices)
- Timing parameters to avoid carrier-level SMS filtering
The phishing message content is dynamically retrieved from social media profiles (Pinterest bios in the 2024 variant), allowing operators to update lure text without pushing malware updates. This creates a distributed smishing network similar to FluBot's approach, though MoqHao predates FluBot by several years and primarily targets Asian markets.
Anti-Analysis and Obfuscation¶
| Technique | Details |
|---|---|
| Tencent Packer | Some variants use the Tencent packer to hide the malicious payload |
| Native packing | Custom native (C/C++) packer wrapping the DEX payload |
| Multidex obfuscation | Malicious loader hidden among junk code files using Android Multidex |
| String encryption | DES encryption with hard-coded keys for C2 configuration strings |
| Icon hiding | Uses setComponentEnabledSetting on PackageManager to hide the app icon after installation |
| Geofencing | Landing pages check visitor geolocation and OS to filter researchers |
| Allowlisting | Korean landing pages require phone number entry checked against an allowlist before serving the APK |
| Unicode label | 2024 variants use zero-width Unicode characters in app labels |
| Tencent Push Service | Used in some variants to issue commands to infected devices, blending with legitimate push notification traffic |
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Overlay triggering, permission auto-granting, UI interaction |
| READ_SMS | Read SMS messages for OTP interception |
| RECEIVE_SMS | Intercept incoming SMS in real-time |
| SEND_SMS | Send smishing messages for propagation |
| READ_CONTACTS | Harvest contact lists for smishing targets |
| INTERNET | C2 communication |
| ACCESS_FINE_LOCATION | GPS tracking of infected device |
| CAMERA | Photo capture |
| RECORD_AUDIO | Call eavesdropping |
| RECEIVE_BOOT_COMPLETED | Persistence across reboots |
| CALL_PHONE | Initiate calls |
| READ_PHONE_STATE | Collect device identifiers |
Target Regions¶
MoqHao's geographic targeting has expanded significantly since its initial focus on East Asia.
| Region | Target Apps/Services | Period |
|---|---|---|
| Japan | Yamato Transport, Japan Post, banking apps | 2017-present |
| South Korea | Korea Post, banking apps, cryptocurrency exchanges | 2017-present |
| Taiwan | Postal services, financial institutions | 2018-present |
| France | La Poste, banking apps | 2022-present |
| Germany | DHL, banking apps | 2022-present |
| United States | Postal services | 2022-present |
| India | Banking apps | 2024-present |
| Austria, Turkey, Malaysia | Various financial services | Intermittent campaigns |
Kaspersky's detection data from September through December 2022 showed the highest Wroba.o detection rates in France (54.4%), Japan (12.1%), and the United States (10.1%).
Scale¶
Team Cymru observed close to 1.5 million victim communications to MoqHao C2 servers since the end of 2022, with evidence of campaigns targeting every continent. Africa, Asia, and Europe were the most impacted regions.
Sekoia documented approximately 70,000 Android device compromises in a single French campaign, with over 90,000 unique IP addresses requesting the C2 server distributing MoqHao. Japan alone accounted for nearly 25,000 malicious APK downloads in one campaign wave, with Austria and France each contributing roughly 7,000.
Notable Campaigns¶
2017-2018: Kaspersky discovers Roaming Mantis compromising home routers in Japan, South Korea, and Bangladesh via DNS hijacking to distribute fake Chrome update APKs. The campaign supports 27 languages by May 2018 and adds iOS phishing and desktop crypto mining.
2018: McAfee documents MoqHao spreading via SMS phishing in South Korea, impersonating Chrome browser updates. Trend Micro links XLoader and FakeSpy to the Yanbian Gang.
2019: McAfee finds MoqHao-related spyware on Google Play targeting Japan and Korea, marking the family's first appearance on the official app store.
2020: Operators adapt smishing lures to COVID-19, sending messages about free mask delivery in Japan. Korean landing pages add phone number allowlisting to filter security researchers.
2021: McAfee documents OS-specific payloads in Roaming Mantis smishing campaigns. Android devices receive MoqHao APK; iOS users get Apple ID phishing.
2022, January-June: Kaspersky tracks Roaming Mantis expansion to Europe, documenting campaigns against French and German users using postal service lures. Sekoia reports 70,000 compromised Android devices in France with over 90,000 unique IPs contacting C2 infrastructure.
2022, September: Kaspersky discovers the DNS changer function built into Wroba.o. The malware targets 113 specific WiFi router models (primarily South Korean manufacturers) and changes their DNS settings when an infected phone connects to their network.
2024, February: McAfee reports the auto-execution evolution. New MoqHao variants start automatically after installation by abusing Android content provider initialization. Targets include users in France, Germany, India, Japan, and South Korea.
2024-2025: Hunt.io documents campaigns abusing Apple iCloud for APK hosting and VK for C2 resolution. Smishing messages in Japanese claim failed delivery attempts, with shortened URLs hosted on X/Twitter redirecting to geofenced landing pages.
Related Families¶
The Roaming Mantis ecosystem includes related malware beyond MoqHao:
- FakeCop / SpyAgent: A separate spyware family documented by Kaspersky in Part V and tracked by McAfee as SpyAgent, distributed through the same Roaming Mantis infrastructure
- FakeSpy: Linked by Trend Micro to the Yanbian Gang alongside XLoader/MoqHao
- FluBot: Shares the smishing distribution model but is an unrelated family operated by different actors. FluBot achieved similar worm-like propagation in Europe before its takedown in 2022