Wroba Trojan

The Wroba Trojan is a mobile Trojan threat that has been deployed against users in Japan, Korea, and other places in the region since at least 2013. However, the hackers behind this malware threat have now equipped it with several modern techniques and unleashed it against users in the U.S. for the first time, displaying a significant expansion of its reach.

The initial versions of Wroba were caught pretending to be a legitimate Google Play Store application, while later iterations abused the DNS settings of compromised routers to send the users to corrupted websites. The latest distribution vector for the Wroba Trojan is through so-called 'smishing' - phishing SMS. The hackers send spoofed package-delivery notices that have been designed to mimic the messages coming from legitimate package delivery services specific for each attacked country.

The Wroba Trojan is Still Being Developed by the Hackers

The Wroba Trojan can affect iOS and Android devices, but its goals are different for the two mobile environments. If the Android users click on the link from the fake package-delivery notification, they are taken to a corrupted website that attempts to trick them into downloading the malware that this time is disguised as a supposed browser update. The website claims that the browser of the compromised device is outdated and must be updated immediately. This distribution method, however, doesn't work on iOS devices. Instead, Wroba redirects the users to a phishing page that is created to look as similar to an Apple login page as in a possible attempt to collect their Apple ID credentials.

If the Wroba Trojan manages to infiltrate a device successfully, it can execute a wide range of harmful functions. The Trojan can access the user's contact lists, enumerate installed packages, overlay login pages for various bank institutions with phishing pages to collect account credentials, obtain financial transaction details, and attempt to further spread itself by sending fake SMS messages.

While Wromba Trojan has the functionality of a typical mobile malware at its core, its latest versions show that the hackers behind it are still upgrading it. For example, Wroba shows some rarely seen techniques such as using the MessagePack format and DES encryption to hide the communication traffic to its Command-and-Control (C2, C&C) infrastructure. One of the latest trends among cybercriminals is to use legitimate social services as dead drop locations for encoded data. The Wroba Trojan is keeping up, and it also can modify its list of C2 servers according to information obtained from social media accounts set up by the hackers.