Android Based Trojan MMRat Executes Financial Fraud via remote execution using Accessibility Feature.

Cybersecurity Organization TREND Micro, has reported an Android based Trojan MMRat, capable of financial fraud, using the accessibility feature on the affected mobile device.

In a report and description about the malware, the organization describe its findings, which states:

“The Trend Micro Mobile Application Reputation Service (MARS), a new fully undetected Android banking trojan, dubbed MMRat (detected by TrendMicro as AndroidOS_MMRat.HRX), that has been targeting mobile users in southeast Asia since late June 2023.”

The malware is said to have taken after its distinctive package by the name: com.mm.user, and capable of capturing user’s onscreen inputs, and contents, and a malicious hacker, can remotely control devices belonging to their targets or victims.  

It was discovered that the mode of communication of the malware, is based on a customized C2 (Command-and-Control) protocol, which is relies on the Probuf (Protocol Buffers); a data format based on open source used for serializing structure data. 

Malware Propagation and Analysis:

It was reported from the findings made, that the samples of the malware were downloaded from a list of phishing websites masquerading as a legitimate app store, and written in different language. As at the moment, these findings were made, the exact methods which the phishing links were propagated cannot be pinpointed.

 

 

MMRat-Malware-Propagation-and-Analysis.png
The malware is said to have taken after its distinctive package by the name: com.mm.user, and capable of capturing user’s onscreen inputs, and contents. Exfiltrating the data to a C2 server controlled by the threat actor. Image source: TrendMicro

 

The malware which is FUD when analyzed on Virus-Total; indicating the author has taking extreme steps in scripting the malware.  It was also discovered that the malware uses a series of protocols and open services, to attain its goal.

The protocols, open services, and Usage include the following:

  • HTTP protocol, running on a port service 8080, is utilized by the malware for data exfiltration.
  • RTSP protocol, running on a port service 8554, is utilized by the malware for RTSP video streaming.
  • Custom protocol, running on a port service 8887, is utilized by the malware for communicating with the C2 server.

Use of MMRat in Conducting Bank Fraud:

Innocent victims are said to download and install the MMRat app, unknowingly to them it is a trojan horse. The App then request a list of permissions, which unsuspecting to the victim, is granted to the application.  The Malware then establishes a remote connection with the c2 server, and exfiltrate large amount of the target’s data including but not limited to device status, PII (Personal Identifiable Information’s), and the keylogging data.

The target device when idle, can be awoken by the malicious hacker, which in turn unlocks the device screen, and access the users mobile banking application to maliciously transfer their money. The threat actor also then initiates screen capturing for the server-side visualization of the device screen. The final game changer is the self-destruction of the malware from the victim’s device, without leaving any traceable files behind.

The malware is said to impersonate official government owned apps or dating application, in tricking their victims.  Also, it detects when the infected device reboots, is switched off, and when switched on.

Mitigation:

In other to protect against the malware, TrendMicro, has listed recommendations to ensure users from falling a victim of the unsuspicious trojan.

This suggestion includes; users downloading apps from only trusted app-stores, regularly updating their OS and device software’s, installing trusted security solutions, and knowing what access they grant when installing applications on their devices.

More information about the findings can be read here.

 

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments