A new Android malware, dubbed MMRat, has been found targeting mobile users in Southeast Asia since June. The malware is named after its package ‘com.mm.user’ and uses a customized C2 protocol, based on Protobuf, to efficiently transfer large volumes of data.
Infection process
As per Trend Micro, most MMRAT samples are distributed via phishing websites disguised as official app stores. While all these phishing sites look similar, they differ in language to ensnare more victims.
In one such case, the malware was found masquerading as an official government or dating app to perform bank fraud.
After installation, the app asked victims to grant necessary permissions on their phones.
Consequently, the malware starts to communicate with the remote server and sends a large amount of data, including personal data, stored on the phone.
In the final stage, MMRAT uninstalls itself and wipes all evidence of infection from the phone.
Capabilities
MMRat relies heavily on the Android Accessibility service and MediaProjection API to function properly.
It is capable of executing bank fraud, recording user input and content on the screen, and remotely controlling the devices of victims.
It uses notable anti-evasion tactics similar to GigabudRAT and Vultur to remain under the radar during the infection process.
App stores remain a lucrative target
Recently, Zimperium shared details about thousands of malicious apps using stealthy APKs to bypass security checks. These APKs were distributed via third-party app stores or sideloading using some social engineering tactics.
In another instance, two Android malware—Fake Trade and CherryBlos—were discovered on the Google Play Store, disguised as APK files for social media platforms and other apps, to steal cryptocurrency credentials and funds of users.
Ending note
To protect against this malware, Android users are advised to check rating, user reviews before downloading apps. They must only download apps from reputable publishers and be cautious at the installation stage when granting access permissions.