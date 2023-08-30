A recently discovered Android banking malware called MMRat has raised concerns due to its utilization of protobuf data serialization, a rarely used communication method, to efficiently steal data from compromised devices. Trend Micro researchers first identified MMRat in late June 2023, targeting users primarily in Southeast Asia. Its unique distribution method involves disguising itself as official app stores on websites.

Victims unknowingly download and install malicious apps carrying MMRat, often mimicking government or dating apps. During installation, these apps request risky permissions, such as access to Android’s Accessibility service. Once installed, MMRat abuses the Accessibility feature to gain additional permissions and perform a variety of malicious activities on the infected device.

Once MMRat infects an Android device, it establishes communication with the command and control (C2) server and remains dormant until the device is idle. At this point, the threat actor behind MMRat uses the Accessibility Service to wake up the device remotely, unlock the screen, and engage in real-time bank fraud. The malware’s capabilities include collecting network, screen, and battery information, exfiltrating contact lists and installed apps, capturing user input through keylogging, accessing real-time screen content using the MediaProjection API, recording and live-streaming camera data, and uninstalling itself to erase evidence of infection.

What sets MMRat apart is its use of protobuf, a method developed by Google for serializing structured data that offers faster and smaller data transfer compared to XML or JSON. MMRat’s custom Protobuf protocol enables efficient data exfiltration, particularly necessary for capturing real-time screen content and text data extraction. The malware employs different ports and protocols for data exchange, including HTTP (port 8080) for data exfiltration, RTSP (port 8554) for video streaming, and custom Protobuf (port 8887) for command and control.

Protobuf’s customization and efficient data transmission offer advantages to MMRat’s authors. Custom protocols help evade detection by network security tools, while structured data adheres to predefined schemas, minimizing the risk of corruption during transmission. MMRat’s emergence demonstrates the evolving sophistication of Android banking trojans, emphasizing the need for users to verify app sources, rely on reputable publishers, and exercise caution when granting permissions during installation.

Source: Trend Micro report