MMRat Mobile Malware

An emerging Android banking malware named MMRat employs an uncommon communication technique known as protobuf data serialization. This approach enhances the malware's efficiency in extracting information from compromised devices.

Unearthed by cybersecurity experts in June 2023, MMRat is primarily concentrated on targeting users located in Southeast Asia. Although the precise method of the malware's initial dissemination to potential victims remains unknown, researchers have identified that MMRat spreads through websites posing as legitimate app stores.

The fraudulent applications carrying the MMRat malware are downloaded and installed by unsuspecting victims. Often, these applications impersonate government applications or dating platforms. Subsequently, during installation, the applications request to receive essential permissions, including access to Android's Accessibility service.

By taking advantage of the Accessibility feature, the malware automatically secures additional permissions for itself. This allows MMRat to execute a wide array of harmful activities on the compromised device.

MMRat Allows Cybercriminals to Take Control Over Numerous Device Functions

Once MMRat gains access to an Android device, it establishes communication with a C2 server and monitors device activity for idle periods. During these intervals, attackers exploit the Accessibility Service to remotely awaken the device, unlock it, and carry out real-time bank fraud.

MMRat's key functions include collecting network, screen, and battery data, exfiltrating user contacts and application lists, capturing user inputs via keylogging, seizing real-time screen content through the MediaProjection API, recording and live-streaming camera data, dumping screen data in text form to the C2 server, and ultimately uninstalling itself to erase traces of infection.

MMRat's efficient data transmission is vital for its ability to capture real-time screen content and extract text data from the 'user terminal state.' To enable effective bank fraud, the malware's authors designed a custom Protobuf protocol for data exfiltration.

MMRat Utilizes an Unusual Communication Technique to Reach the Attacker's Server

MMRat employs a distinct Command and Control (C2) server protocol utilizing what is known as protocol buffers (Protobuf) to facilitate streamlined data transfer—a rarity within the realm of Android trojans. Protobuf, a data serialization technique developed by Google, functions similarly to XML and JSON but boasts a smaller and swifter footprint.

MMRat employs assorted ports and protocols for its interactions with the C2. These encompass HTTP on port 8080 for data exfiltration, RTSP and port 8554 for video streaming, and a personalized Protobuf implementation on port 8887 for command and control.

The uniqueness of the C&C protocol lies in it being tailored to use Netty, a network application framework, and the previously mentioned Protobuf. This also incorporates well-structured messages. Within C&C communication, the threat actor adopts a comprehensive structure to embody all message types and the "oneof" keyword to signify distinct data categories.

Beyond Protobuf's efficiency, the utilization of custom protocols bolsters evasion against network security tools that typically identify recognizable patterns of already known threats. Thanks to Protobuf's versatility MMRat's creators have the freedom to define their message structures and regulate the data transmission methods. Meanwhile, its systematic design guarantees that dispatched data adheres to predefined designs, reducing the likelihood of corruption upon being received.

The MMRat mobile threat showcases the evolving complexity of Android banking Trojans, with the cybercriminals adeptly combining discreet operations with effective data retrieval techniques.