Performance-Enhanced Android MMRat Scurries Onto Devices via Fake App Stores

A newly detected Android Trojan with performance enhancements for transferring large amounts of data is infecting user devices through fake app stores, allowing operators to take over control of devices to commit bank fraud.

Dubbed MMRat for its package name, the Trojan has been targeting mobile users in Southeast Asia since late June, researchers from Trend Micro revealed in a blog post Aug. 29. MMRat often masquerades as an official government or dating app on a fake but convincing-looking app store, then after download and launch, presents a phishing website to victims to gain access to credentials and personal data.

The malware, which loads as com.mm.user, can capture user input and screen content, and also allow attackers to remotely control victim devices through various techniques. Ultimately, the goal of the RAT is to steal from user's bank accounts using their credentials and personal data.

MMRat also features a rare performance enhancement that uses a special customized command-and-control (C2) protocol based on protocol buffers (aka Protobuf), the researchers noted.

"This feature, which is rarely seen in Android banking Trojans, enhances its performance during the transfer of large volumes of data," according to the post.

App Store or Cybercrime?

Most of the samples of MMRat that researchers analyzed were from a series of similar-looking phishing websites masquerading as official app stores in various languages depending on the targeted user base. However, researchers are unclear of exactly how attackers distributed the phishing links to victim devices, they said.

Once it's installed, MMRat requests permissions from users that, once granted, allow it to access key data and functionality on the device. Once it does, it starts send data about the device — such as device status, personal data, and keylogging data — back to the remote server.

One of these initial activities is to target the victim's contact and installed app list for collection, which is likely so attackers can uncover personal information to ensure the victim fits a specific profile.

"For instance, the victim may have contacts that meet certain geographical criteria or have a specific app installed," according to Trend Micro. "This information can then be used for further malicious activities."

The Trojan relies heavily on two Android features — Android Accessibility service to establish a connection with an attacker-controlled server for remote control and the MediaProjection API — to function properly. Key capabilities include capturing user input and screen content as well as remotely controlling the devices of its victims.

An additional feature of MMRat allows the threat actor to wake up the device remotely when it's not in use, unlock the screen, and perform bank fraud using victim credentials. "Concurrently, the threat actor can also initiate screen capturing for server-side visualization of the device screen," according to the post.

Once it's up and running, MMRat then uninstalls itself, removing all traces of the malware from the system.

Don't Be Fooled

Android-targeted banking Trojans and other malware continue to be a persistent problem on the mobile platform, and require some diligence on the part of users to avoid being compromised.

Moreover, MMRat, like other Android malware GigabudRat and Vultur before it, has evasion tactics that make it difficult to detect, with the Trojan flying under the radar with no detections on VirusTotal so far at the time the blog was posted, the researchers noted.

Considering that MMRat is distributed via phishing websites posing as official app stores, Trend Micro recommends that users only download apps from official sources such as Google Play Store or Apple App Store.

Android users also should regularly update device software to install any security enhancements that protect against new threats like MMRat. Further, they also should be wary of granting accessibility permissions to any app they install, as MMRat exploits Android's Accessibility service to carry out its malicious activities.

Any mobile device user also should maintain vigilance when divulging personal and banking information online or with any apps on their device, as malware like MMRat is designed to use this data to commit bank fraud.

Finally, installing a reputable security solution on an Android device also can help detect and remove threats before they can cause harm.