A newly identified Android trojan targeting users in Southeast Asia is allowing attackers to control devices remotely and perform bank fraud, Trend Micro reports.
Dubbed MMRat and active since June, the malware can capture user input and take screenshots, and uses a customized command-and-control (C&C) protocol based on Protobuf, which improves its performance when transferring large amounts of data.
The malware has been distributed via websites masquerading as official application stores, and which were tailored in different languages, including Vietnamese and Thai. However, it is unclear how links to these sites are distributed to the intended victims.
After installation, MMRat asks the victim to enable necessary permissions, and starts communicating with its C&C, sending device information and capturing user input. If Accessibility permissions are enabled, the threat can modify settings and grant itself more permissions.
The malware signals its operators when the device is not in use, so they can unlock it to perform bank fraud and initialize screen capture.
The malware then uninstalls itself, removing all traces of infection from the device. MMRat was also seen posing as an official government or dating application, to avoid user suspicion.
“Subsequently, it registers a receiver that can receive system events, including the ability to detect when the system switches on and off, and reboots, among others. Upon the receipt of these events, the malware launches a 1×1-sized pixel activity to ensure its persistence,” Trend Micro explains.
The malware was seen initiating the Accessibility service and initializing server communication over three ports, for data exfiltration, video streaming, and C&C.
Based on commands received from the server, the malware can execute gestures and global actions, send text messages, unlock the screen using a password, input passwords in applications, click on the screen, capture screen or camera video, enable the microphone, wake up the device, and delete itself.
MMRat can collect a broad range of device data and personal information, including network, screen, and battery data, installed applications, and contact lists.
“We believe the goal of the threat actor is to uncover personal information to ensure the victim fits a specific profile. For instance, the victim may have contacts that meet certain geographical criteria or have a specific app installed. This information can then be used for further malicious activities,” Trend Micro notes.
According to Trend Micro, the screen capture capability is likely used in conjunction with remote control, allowing the threat actor to view the device’s live status when performing bank fraud. The malware also uses the MediaProjection API to capture screen content and stream video data to the C&C server.
The malware also uses a ‘user terminal state’ approach to capturing screen data, where only text information is sent to the server, without the graphical user interface, resembling a terminal.