New Android MMRat Malware Efficiently Steals Sensitive Data

Cybersecurity researchers from the Trend Micro Mobile Application Reputation Service (MARS) have unearthed a sophisticated Android banking trojan named MMRat that employs a rarely-seen yet highly efficient communication method to steal sensitive data from compromised devices. According to the research, the malware, which has operated since late June 2023, has predominantly targeted mobile users in Southeast Asia.

The trojan has been identified as a particularly potent threat capable of carrying out a wide array of malicious activities. What sets MMRat apart from its counterparts is its unique utilization of protocol buffers (Protobuf) for its command-and-control (C&C) protocol. Protobuf is an open-source data serialization format created by Google, designed to be more compact and efficient than traditional formats like XML or JSON.

Unlike other Android banking trojans, MMRat's creators have employed a customized Protobuf-based C&C protocol, making it adept at seamlessly transmitting large volumes of data without raising alarms. This improves the malware’s efficiency in executing bank fraud and other malicious activities on victim devices.

The malware's distribution method involves deceptive phishing websites masquerading as legitimate app stores. Unsuspecting users are lured into downloading and installing malicious apps that carry the MMRat payload. Often disguised as government or dating applications, these apps request dangerous permissions, such as access to Android's Accessibility service, during installation.

The malware's abilities include capturing network, screen, and battery data, exfiltrating contact lists and lists of installed apps, keylogging user input, and even capturing real-time screen content using the MediaProjection API.

To efficiently transfer the vast amount of collected data with the C&C server, MMRat uses various ports and protocols. The malware utilizes HTTP on port 8080 for data exfiltration, RTSP on port 8554 for video streaming, and custom Protobuf on port 8887 for its command-and-control operations.

The Protobuf-based C&C protocol employed by MMRat is a testament to the malware's creators' determination to optimize their approach. By customizing the protocol using Netty, a network application framework, and Protobuf, they've created a structured and efficient means of data exchange that is both effective and evasive.

Experts from Trend Micro emphasize the significance of safeguarding against such threats. Users are advised to exclusively download apps from reputable sources like the Google Play Store, remain cautious of granting unnecessary permissions, regularly update their device software, and employ reliable security solutions to counter such threats proactively.

The emergence of MMRat showcases the evolving landscape of Android banking trojans, underscoring the need for constant vigilance and robust security practices to counteract the increasingly sophisticated tactics employed by cybercriminals.