A new Android banking trojan named MMRat has emerged as a significant threat to Southeast Asian users, targeting their mobile devices through sophisticated tactics. This potent malware, known for its ability to conduct bank fraud, has managed to stay completely unnoticed on VirusTotal, raising concerns about its evasive capabilities.
Distributed through phishing websites that disguise themselves as official app stores, MMRat exploits this camouflage to expand its reach. Its unique features include a customized Protobuf-based C2 protocol, enabling enhanced performance, and the ability to capture screenshots, control devices remotely, and gather extensive personal and device data.
Researchers from Trend Micro’s Mobile Application Reputation Service (MARS) have unveiled the presence of MMRat, an Android trojan, targeting mobile users in Southeast Asia since late June 2023. Aptly named after its package “com.mm.user,” MMRat is adept at capturing screenshots, remotely controlling devices, and collecting sensitive data, all while staying incognito.
Despite its complex functionalities, the malware has evaded detection on VirusTotal, a troubling feat in the realm of cybersecurity. The malware is distributed through fraudulent app stores, masquerading as legitimate sources, but researchers are yet to determine how victims are drawn into visiting these counterfeit platforms.
The MMRat trojan, posing a considerable threat to mobile phone users, employs an innovative approach by utilizing a customized Protobuf-based C2 protocol, a rarity in Android banking trojans. This protocol enhances the malware’s efficiency in transferring large volumes of data. Its primary objective is to execute bank fraud, wherein victims unknowingly download and install the malware, granting it permissions that pave the way for unauthorized access.
Once initiated, MMRat communicates with a remote server, enabling data transfer and manipulation of victim devices. By capturing screens and performing fraudulent activities, the malware operator can execute bank fraud and conceal their tracks by self-uninstalling the malware.
MMRat’s capabilities extend beyond standard malware functionalities. It leverages the Android Accessibility service and MediaProjection API to capture user input, screen content, and even control devices remotely. This malware employs tactics such as disguising itself as legitimate apps and deploying a 1×1-sized pixel activity to ensure persistence on the victim’s device.
To protect against MMRat and similar threats, users are advised to download apps only from trusted sources, maintain updated device software, exercise caution while granting app permissions, and remain vigilant against potential phishing websites.