Blog

Oct 19, 2023

New 'MMRat' Android Trojan Targeting Users in Southeast Asia

The newly identified MMRat Android trojan has been targeting users in Southeast Asia to remotely control devices and perform bank fraud. By Flipboard Reddit Pinterest Whatsapp Whatsapp Email A newly

The newly identified MMRat Android trojan has been targeting users in Southeast Asia to remotely control devices and perform bank fraud.

By

Flipboard

Reddit

Pinterest

Whatsapp

Whatsapp

Email

A newly identified Android trojan targeting users in Southeast Asia is allowing attackers to control devices remotely and perform bank fraud, Trend Micro reports.

Dubbed MMRat and active since June, the malware can capture user input and take screenshots, and uses a customized command-and-control (C&C) protocol based on Protobuf, which improves its performance when transferring large amounts of data.

The malware has been distributed via websites masquerading as official application stores, and which were tailored in different languages, including Vietnamese and Thai. However, it is unclear how links to these sites are distributed to the intended victims.

After installation, MMRat asks the victim to enable necessary permissions, and starts communicating with its C&C, sending device information and capturing user input. If Accessibility permissions are enabled, the threat can modify settings and grant itself more permissions.

The malware signals its operators when the device is not in use, so they can unlock it to perform bank fraud and initialize screen capture.

The malware then uninstalls itself, removing all traces of infection from the device. MMRat was also seen posing as an official government or dating application, to avoid user suspicion.

“Subsequently, it registers a receiver that can receive system events, including the ability to detect when the system switches on and off, and reboots, among others. Upon the receipt of these events, the malware launches a 1×1-sized pixel activity to ensure its persistence,” Trend Micro explains.

The malware was seen initiating the Accessibility service and initializing server communication over three ports, for data exfiltration, video streaming, and C&C.

Based on commands received from the server, the malware can execute gestures and global actions, send text messages, unlock the screen using a password, input passwords in applications, click on the screen, capture screen or camera video, enable the microphone, wake up the device, and delete itself.

MMRat can collect a broad range of device data and personal information, including network, screen, and battery data, installed applications, and contact lists.

“We believe the goal of the threat actor is to uncover personal information to ensure the victim fits a specific profile. For instance, the victim may have contacts that meet certain geographical criteria or have a specific app installed. This information can then be used for further malicious activities,” Trend Micro notes.

According to Trend Micro, the screen capture capability is likely used in conjunction with remote control, allowing the threat actor to view the device’s live status when performing bank fraud. The malware also uses the MediaProjection API to capture screen content and stream video data to the C&C server.

The malware also uses a ‘user terminal state’ approach to capturing screen data, where only text information is sent to the server, without the graphical user interface, resembling a terminal.

Related: Anatsa Banking Trojan Delivered via Google Play Targets Android Users in US, Europe

Related: Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update

Related: New Android Trojans Infected Many Devices in Asia via Google Play, Phishing

Ionut Arghire is an international correspondent for SecurityWeek.

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.(Marie Hattar)

Just as a professional football team needs coordination, strategy and adaptability to secure a win on the field, a well-rounded cybersecurity strategy must address specific challenges and threats.(Matt Wilson)

As the SEC cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table.(Marc Solomon)

Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured.(Matt Honea)

The complexity and challenge of distributed cloud environments often necessitate managing multiple infrastructure, technology, and security stacks, multiple policy engines, multiple sets of controls, and multiple asset inventories.(Joshua Goldfarb)

Flipboard

Reddit

Pinterest

Whatsapp

Whatsapp

Email

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...