Since late June 2023 [2] [5] [8], cybersecurity researchers at Trend Micro Mobile Application Reputation Service (MARS) have identified a new Android trojan known as MMRat. This trojan has specifically targeted mobile phone users in Southeast Asia [5], but it has the potential to spread globally.
Description
MMRat is a stealthy trojan that disguises itself as official government or dating apps and gains access to victims’ devices through phishing websites that appear to be official app stores. Once installed [1] [2] [3] [4] [5] [6] [7] [10], MMRat establishes communication with a remote server and carries out various tasks, including capturing screenshots [3] [5], remotely controlling devices [1] [2] [4] [5] [6] [8] [10], monitoring user input [2] [5], and conducting bank fraud [5]. It remains undetected on VirusTotal [2] [5].
The trojan collects extensive device and personal data [5], such as screen and battery data, installed apps [2] [5] [7], contact lists [5], and network data [5]. It can also capture screens and carry out bank fraud. MMRat can self-uninstall and remove all traces of its activities [5]. It stands out due to its use of a customized command-and-control protocol that efficiently transfers large amounts of data [1] [6]. MMRat masquerades as official government or dating apps and uses phishing sites to deceive victims [1] [2] [6].
MMRat abuses Android accessibility service and MediaProjection API to carry out its activities [1] [4] [6], including collecting device data and personal information [1] [6], recording screen content [1] [6], and capturing lock screen patterns [1] [6]. The trojan utilizes the collected information for victim profiling and deletes itself after a successful fraudulent transaction [6].
To protect against this type of malware, users should only download apps from official sources [1] [6] [9], carefully review app permissions [1] [6], and avoid installing apps from unknown sources [7]. It is also recommended to download apps only from official Android stores and consider using Android antivirus apps for additional protection. Google Play Protect can identify and remove malicious apps [7], but it is crucial to remain vigilant and take proactive measures to safeguard personal information and devices.
Conclusion
The MMRat trojan poses a significant threat to mobile phone users, particularly in Southeast Asia [1] [2] [4] [5] [6] [8] [9] [10]. Its ability to disguise itself as legitimate apps and its sophisticated command-and-control protocol make it difficult to detect and remove. To mitigate the risks, users should exercise caution when downloading apps, stick to official sources [1] [6] [9], and employ additional security measures such as antivirus apps. As cyber threats continue to evolve, it is essential to stay informed and proactive in protecting personal information and devices.
References
[1] https://thehackernews.com/2023/08/mmrat-android-trojan-executes-remote.html
[2] https://www.threatshub.org/blog/stealthy-android-malware-mmrat-carries-out-bank-fraud-via-fake-app-stores/
[3] https://itsecuritywire.com/quick-bytes/new-android-trojan-mmrat-targets-southeast-asian-users/
[4] https://www.inforisktoday.com/new-android-banking-trojan-targets-southeast-asia-region-a-22968
[5] https://www.hackread.com/mmrat-android-trojan-fake-app-store-bank-fraud/
[6] https://www.redpacketsecurity.com/mmrat-android-trojan-executes-remote-financial-fraud-through-accessibility-feature/
[7] https://www.tomsguide.com/news/this-new-android-malware-can-unlock-your-phone-and-drain-your-bank-accounts-how-to-stay-safe
[8] https://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html
[9] https://www.mirror.co.uk/tech/android-app-warning-banking-trojan-30818576
[10] https://www.darkreading.com/endpoint/performance-enhanced-android-mmrat-scurries-onto-devices-via-fake-app-stores
