A new Android Trojan called MMRat has been discovered by researchers from Trend Micro. This Trojan is targeting mobile users in Southeast Asia and is infecting user devices through fake app stores, allowing hackers to commit bank fraud. MMRat disguises itself as an official government or dating app on a fake app store, and once downloaded and launched, it presents a phishing website to victims in order to gain access to their credentials and personal data.
The MMRat Trojan, also known as com.mm.user, is able to capture user input and screen content, as well as allowing attackers to remotely control victim devices. Its main objective is to steal from users’ bank accounts using their stolen credentials and personal data. What makes MMRat unique is its rare performance enhancement, which uses a special customized command-and-control (C2) protocol called protocol buffers (Protobuf). This enhancement improves the Trojan’s performance when transferring large amounts of data.
Researchers have found that most of the MMRat samples analyzed were from phishing websites that pretended to be official app stores in various languages, depending on the targeted user base. However, it is still unclear how the attackers distributed the phishing links to victim devices. Once installed, MMRat requests permissions from users, which, once granted, allow it to access important data and functionality on the device. It then starts sending data about the device, such as device status, personal data, and keylogging data, back to the remote server.
One of the initial activities of MMRat is to target the victim’s contact and installed app list for collection. This information is likely used by the attackers to ensure that the victim fits a specific profile. For example, they may look for contacts or specific apps installed on the device that meet certain geographical criteria. This collected information can then be used for further malicious activities.
The Trojan relies heavily on two Android features to function properly: the Android Accessibility service and the MediaProjection API. These features enable MMRat to establish a connection with an attacker-controlled server for remote control and to capture user input and screen content. Another feature of MMRat allows the threat actors to remotely wake up the device, unlock the screen, and perform bank fraud using victim credentials. Concurrently, the attackers can also initiate screen capturing for server-side visualization of the device screen. Once MMRat completes its task, it uninstalls itself, removing all traces of the malware from the system.
Android-targeted banking Trojans like MMRat continue to be a persistent problem on the mobile platform. They require users to exercise caution to avoid being compromised. MMRat has evasion tactics that make it difficult to detect and it has not been detected on VirusTotal so far. To protect against this and similar threats, Trend Micro recommends that users only download apps from official sources, such as the Google Play Store or Apple App Store. Regularly updating device software is also crucial to install security enhancements that protect against new threats. Users should also be cautious when granting accessibility permissions to any app they install, as MMRat exploits Android’s Accessibility service to carry out its malicious activities.
It is important for mobile device users to maintain vigilance when sharing personal and banking information online or with any apps on their device. Malware like MMRat is designed to use this data to commit bank fraud. Installing a reputable security solution on an Android device can help detect and remove threats before they can cause harm. By following these precautions, users can better protect themselves from Android Trojans like MMRat and reduce the risk of falling victim to bank fraud.