Threat actors behind the Roaming Mantis credential theft and malware distribution campaign have added a DNS changer to their Wroba.o/XLoader Android malware, which enables DNS settings modification on targeted WiFi routers to facilitate further infections, according to BleepingComputer. Kaspersky researchers detailed that smishing messages have been leveraged in the latest campaign, with Android users prompted to install a malicious APK that contains the updated Wroba.o/XLoader malware while iOS users are being redirected to a phishing page for credential theft. Upon installation, XLoader secures the connected WiFi router's default gateway IP address to attempt administrator web interface access. Particular WiFi router models are being identified by the malware's 113 hard-coded strings prior to DNS hijacking, the report revealed. Such DNS settings modification would prompt other devices connecting to the network to be infected by the malware. Most routers impacted by the latest campaign are in South Korea but the U.S. could also be targeted, as the country accounted for 10% of all XLoader victims.