New Android Trojan MMRat Targets Southeast Asia Users to Carry Out Bank Fraud

A new banking malware dubbed ‘’MMRat’’ was identified controlling devices remotely to exfiltrate data from targeted devices. The stealthy trojan was observed targeting users in Southeast Asia since June 2023.

In a published article Trend Micro disclosed that the malware which continues to avoid detection (on VirusTotal) can capture screenshots and user input. It also utilizes a customized command and control (C2) protocol based on rarely used protocol buffers (Protobuf) to boost performance when transferring large volumes of data.

While the mode of phishing link distribution to victims remains unclear, researchers believe that the malware is being distributed via websites disguised as official app stores.

The attack begins when a victim downloads and installs the dubious apps containing MMRat and grants the necessary permissions. ‘’To avoid suspicion, MMRat often masquerades as an official government or dating app, then presents a phishing website to victims upon being launched,’’ Trend Micro revealed.

On receiving the needed access, the malware starts communicating with the C2 servers to transfer large amounts of data from the victim’s device, including network data, installed apps, contacts, screen and battery data. This information is collected in a timely manner on account of the timer task set up by MMRat.

‘’We believe the goal of the threat actor is to uncover personal information to ensure the victim fits a specific profile. [..] contacts that meet certain geographical criteria or have a specific app installed,’’ the article revealed.

With the Accessibility permission enabled, the malware can modify settings and grant itself additional permissions. Its remote communication ability allows it to notify and grant access to the threat actor to unlock the device and commit bank fraud. It also helps the threat actor capture screenshots ‘’for server-side visualization of the device screen’’.

Post this, the malware has the capability to terminate itself, thereby removing all traces of itself from the system.

According to Trend Micro, the malware’s stealth screen recording and C2 server communication capability, enables the threat actors to live stream video data (device) while committing bank fraud.

The rising Android trojans makes it imperative for device owners to download software from reliable sources and be vigilant in granting accessibility permissions.