New Android Malware Variant MoqHao Emerges

Security researchers have identified a new variant of Android malware dubbed MoqHao, which operates without requiring user interaction.

Unlike previous versions, this iteration automatically executes upon installation on infected devices. The campaign primarily targets Android users in France, Germany, India, Japan, and South Korea. MoqHao, also known as Wroba and XLoader, is linked to the Chinese financially motivated group Roaming Mantis. The malware is distributed via smishing techniques, with malicious links hidden using URL shorteners. SMS messages containing these links are crafted from fraudulent Pinterest profiles, increasing the likelihood of successful attacks. MoqHao’s evolution includes the automatic execution of its malicious payload upon installation, prompting victims to grant risky permissions without launching the app. This behavior resembles that of HiddenAds malware, indicating a shift in tactics. Previous campaigns have compromised thousands of devices, with updated versions infiltrating Wi-Fi routers for DNS hijacking. The persistence and innovation of MoqHao underscore the ongoing threat posed by Android-based mobile malware.

The campaign’s tactics indicate a sophisticated evolution, with MoqHao’s automatic execution upon installation and disguised SMS messages presenting new challenges for detection and prevention. Its association with Roaming Mantis suggests a financially motivated agenda, with targets primarily located in key global regions.


As MoqHao continues to innovate, the threat to Android users persists, highlighting the need for robust security measures and user vigilance in safeguarding against evolving mobile malware threats.