A new Android banking trojan called MMRat has emerged in Southeast Asia, targeting mobile users with the intention of carrying out financial fraud. This previously undocumented malware, named after its package name com.mm.user, has the ability to capture user input and screen content, as well as remotely control victim devices.
MMRat stands out from other malware of its kind due to its use of a customized command-and-control protocol based on protocol buffers. This allows for efficient transfer of large volumes of data from compromised devices, showcasing the increasing sophistication of Android malware.
The primary targets of MMRat appear to be users in Indonesia, Vietnam, Singapore, and the Philippines, based on the language used in the phishing pages. The attacks begin with victims being directed to phishing sites that mimic official app stores, although the method of directing victims to these links is currently unknown. MMRat often disguises itself as an official government or dating app to deceive users.
Upon installation, the malware heavily relies on the Android accessibility service and MediaProjection API, which have been previously exploited by another Android financial trojan called SpyNote. MMRat also abuses its accessibility permissions to grant itself additional permissions and modify settings. It establishes persistence to survive between device reboots and communicates with a remote server to receive instructions and send back the results of executed commands. The trojan uses various combinations of ports and protocols for functions such as data exfiltration, video streaming, and command-and-control.
MMRat has the capability to collect a wide range of device data and personal information, including signal strength, screen status, battery stats, installed applications, and contact lists. It is suspected that the threat actor behind MMRat utilizes this information to profile potential victims before carrying out further actions.
In addition to collecting data, MMRat can record real-time screen content and capture the lock screen pattern. This allows the threat actor to remotely access the victim’s device even when it is locked and not in use. The malware abuses the Accessibility service to remotely control the victim’s device, performing actions such as gestures, unlocking screens, and inputting text. When combined with stolen credentials, this can enable threat actors to carry out bank fraud.
To conclude the attacks, MMRat self-deletes upon receiving the command UNINSTALL_APP from the command-and-control server. This typically occurs after a successful fraudulent transaction, effectively eliminating all traces of infection from the compromised device.
To mitigate the risks posed by such potent malware, users are advised to only download apps from official sources, carefully review app ratings and reviews, and scrutinize the permissions requested by apps before granting access. These precautions can help protect users from falling victim to MMRat and similar threats.
CyberSec84 | Cybersecurity news. 
Leave a comment