Connect with us

Hi, what are you looking for?


Malware & Threats

New ‘MMRat’ Android Trojan Targeting Users in Southeast Asia

The newly identified MMRat Android trojan has been targeting users in Southeast Asia to remotely control devices and perform bank fraud.

A newly identified Android trojan targeting users in Southeast Asia is allowing attackers to control devices remotely and perform bank fraud, Trend Micro reports.

Dubbed MMRat and active since June, the malware can capture user input and take screenshots, and uses a customized command-and-control (C&C) protocol based on Protobuf, which improves its performance when transferring large amounts of data.

The malware has been distributed via websites masquerading as official application stores, and which were tailored in different languages, including Vietnamese and Thai. However, it is unclear how links to these sites are distributed to the intended victims.

After installation, MMRat asks the victim to enable necessary permissions, and starts communicating with its C&C, sending device information and capturing user input. If Accessibility permissions are enabled, the threat can modify settings and grant itself more permissions.

The malware signals its operators when the device is not in use, so they can unlock it to perform bank fraud and initialize screen capture.

The malware then uninstalls itself, removing all traces of infection from the device. MMRat was also seen posing as an official government or dating application, to avoid user suspicion.

“Subsequently, it registers a receiver that can receive system events, including the ability to detect when the system switches on and off, and reboots, among others. Upon the receipt of these events, the malware launches a 1×1-sized pixel activity to ensure its persistence,” Trend Micro explains.

Advertisement. Scroll to continue reading.

The malware was seen initiating the Accessibility service and initializing server communication over three ports, for data exfiltration, video streaming, and C&C.

Based on commands received from the server, the malware can execute gestures and global actions, send text messages, unlock the screen using a password, input passwords in applications, click on the screen, capture screen or camera video, enable the microphone, wake up the device, and delete itself.

MMRat can collect a broad range of device data and personal information, including network, screen, and battery data, installed applications, and contact lists.

“We believe the goal of the threat actor is to uncover personal information to ensure the victim fits a specific profile. For instance, the victim may have contacts that meet certain geographical criteria or have a specific app installed. This information can then be used for further malicious activities,” Trend Micro notes.

According to Trend Micro, the screen capture capability is likely used in conjunction with remote control, allowing the threat actor to view the device’s live status when performing bank fraud. The malware also uses the MediaProjection API to capture screen content and stream video data to the C&C server.

The malware also uses a ‘user terminal state’ approach to capturing screen data, where only text information is sent to the server, without the graphical user interface, resembling a terminal.

Related: Anatsa Banking Trojan Delivered via Google Play Targets Android Users in US, Europe

Related: Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update

Related: New Android Trojans Infected Many Devices in Asia via Google Play, Phishing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...