MoqHao Android Malware Evolves with Auto-Execution Capability

February 09, 2024NewsroomMobile Security / Cyber ​​Threats

MoqHao Android Malware

Threat hunters have identified a new variant of Android malware called MoqHao which automatically executes on infected devices without requiring any user interaction.

“Typical MoqHao requires users to install and launch the app to achieve their desired goal, but this new variant requires no implementation,” McAfee Labs SAYS in a report published this week. “As soon as the app is installed, their malicious activity starts automatically.”

Campaign targets include Android users located in France, Germany, India, Japan, and South Korea.

MoqHao, also called Wroba and XLoader (not to be confused with the Windows and macOS malware of the same name), is an Android-based mobile threat associated with a Chinese financial-driven cluster called Roaming Mantis (aka Shaoye).


Common attack chains begin with SMS messages with the theme of sending a package containing fraudulent links that, when clicked from Android devices, lead to the deployment of malware but are redirect victims to credential harvesting pages that mimic Apple’s iCloud login page when visited from an iPhone.

In July 2022, Sekoia detailed a campaign that compromised at least 70,000 Android devices in France. Early last year, new versions of MoqHao were found to have infiltrated Wi-Fi routers and hijacked the Domain Name System (DNS), revealing the enemy’s commitment to change. or in its arsenal.

The latest iteration of MoqHao continues to be distributed through smishing techniques, but what has changed is that the malicious payload is automatically executed upon installation and prompts the victim to provide it with a dangerous permissions without launching the app, a behavior previously seen in fake apps containing HiddenAds malware.

Also received face change is that the links shared in the SMS messages themselves are hidden using URL shorteners to increase the probability of success of the attack. The content of these messages is taken from the bio (or description) field from fraudulent Pinterest profiles set up for this purpose.

MoqHao Android Malware

MoqHao is equipped with many features that allow it to secretly harvest sensitive information such as device metadata, contacts, SMS messages, and photos, call specific numbers with silent mode, and enable/disable Wi-Fi, etc.

McAfee said it reported the findings to Google, which it said is “already working on implementing mitigations to prevent this type of auto-execution in future versions of Android.”

The development comes as Chinese cybersecurity company QiAnXin Revelation that a previously unknown cybercrime syndicate named Bigpanzi was involved in compromising Android-based smart TVs and set-top boxes (STBs) to corral them into a botnet for conducting distributed denial- of-service (DDoS) attacks.


The operation, active since at least 2015, is estimated to control a botnet consisting of 170,000 daily active bots, most of which are located in Brazil. However, 1.3 million unique Brazilian IP addresses were associated with Bigpanzi as of August 2023.

The infections are made possible by tricking users into installing booby-trap apps for streaming pirated movies and TV shows through sketchy websites. The campaign was first disclosed by Russian antivirus vendor Doctor Web in September 2023.

“Once installed, these devices become operating nodes within their illegal media streaming platform, serving services such as traffic proxying, DDoS attacks, provision of OTT content, and pirate traffic,” said QiAnXin researchers.

“The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terrorist, or pornographic content, or to use more convincing AI-generated videos for political propaganda, poses a major threat to social order and strength.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment