We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

New Android MMRat Malware Efficiently Steals Sensitive Data

New Android MMRat Malware Efficiently Steals Sensitive Data
Zane Kennedy Published on 31st August 2023 Cybersecurity Researcher

Cybersecurity researchers from the Trend Micro Mobile Application Reputation Service (MARS) have unearthed a sophisticated Android banking trojan named MMRat that employs a rarely-seen yet highly efficient communication method to steal sensitive data from compromised devices. According to the research, the malware, which has operated since late June 2023, has predominantly targeted mobile users in Southeast Asia.

The trojan has been identified as a particularly potent threat capable of carrying out a wide array of malicious activities. What sets MMRat apart from its counterparts is its unique utilization of protocol buffers (Protobuf) for its command-and-control (C&C) protocol. Protobuf is an open-source data serialization format created by Google, designed to be more compact and efficient than traditional formats like XML or JSON.

Unlike other Android banking trojans, MMRat's creators have employed a customized Protobuf-based C&C protocol, making it adept at seamlessly transmitting large volumes of data without raising alarms. This improves the malware’s efficiency in executing bank fraud and other malicious activities on victim devices.

The malware's distribution method involves deceptive phishing websites masquerading as legitimate app stores. Unsuspecting users are lured into downloading and installing malicious apps that carry the MMRat payload. Often disguised as government or dating applications, these apps request dangerous permissions, such as access to Android's Accessibility service, during installation.

The malware's abilities include capturing network, screen, and battery data, exfiltrating contact lists and lists of installed apps, keylogging user input, and even capturing real-time screen content using the MediaProjection API.

To efficiently transfer the vast amount of collected data with the C&C server, MMRat uses various ports and protocols. The malware utilizes HTTP on port 8080 for data exfiltration, RTSP on port 8554 for video streaming, and custom Protobuf on port 8887 for its command-and-control operations.

The Protobuf-based C&C protocol employed by MMRat is a testament to the malware's creators' determination to optimize their approach. By customizing the protocol using Netty, a network application framework, and Protobuf, they've created a structured and efficient means of data exchange that is both effective and evasive.

Experts from Trend Micro emphasize the significance of safeguarding against such threats. Users are advised to exclusively download apps from reputable sources like the Google Play Store, remain cautious of granting unnecessary permissions, regularly update their device software, and employ reliable security solutions to counter such threats proactively.

The emergence of MMRat showcases the evolving landscape of Android banking trojans, underscoring the need for constant vigilance and robust security practices to counteract the increasingly sophisticated tactics employed by cybercriminals.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.