MMRat Mobile Malware Targets Android Devices

An Android banking trojan referred to as MMRat, which had not been previously identified, has been detected in Southeast Asia since late June 2023. This trojan, named after its unique package name "com.mm.user," is designed to target mobile users in the region. Its primary objective is to take control of mobile devices remotely and engage in financial fraud.

The malicious software is capable of capturing user inputs and screen content. Moreover, it employs various techniques to control compromised devices from a distance. This allows the attackers to conduct fraudulent activities related to banking on the victim's device. Security company Trend Micro has highlighted the distinctive feature of MMRat: its utilization of a tailored command-and-control (C2) protocol based on protocol buffers (protobuf). This specialized approach enables the efficient transfer of substantial amounts of data from compromised smartphones, showcasing the increasing complexity of Android malware.

The malware's likely targets include Indonesia, Vietnam, Singapore, and the Philippines, based on the language used in the phishing pages. The attacks begin with users being directed to phishing sites resembling official app stores, although the method of directing victims to these sites is currently unknown. MMRat commonly disguises itself as a legitimate government app or a dating application.

Once successfully installed, the trojan heavily relies on the Android accessibility service and the MediaProjection API. These components, also utilized by another Android financial trojan called SpyNote, enable MMRat to execute its malicious activities. The malware exploits its accessibility permissions to grant additional permissions to itself and modify device settings.

MMRat's Mode of Oepration

MMRat is programmed to establish persistence, ensuring its survival through device reboots. It communicates with a remote server to await commands and send back the results of executed commands. The trojan employs various combinations of ports and protocols for functions such as data extraction, video streaming, and command-and-control operations.

The trojan possesses the ability to gather extensive device information and personal data. This includes details like signal strength, screen status, battery statistics, installed apps, and contact lists. It's suspected that the threat actor behind MMRat employs this information for victim profiling before proceeding to the next stage of the attack.

Among its functionalities, MMRat can record real-time screen content and capture lock screen patterns. This facilitates remote access for threat actors even when the device is locked and inactive.

The attacks carried out by MMRat culminate in the trojan deleting itself upon receiving a specific C2 command ("UNINSTALL_APP"). This typically occurs after a successful fraudulent transaction, effectively eliminating all traces of the trojan from the infected device.