Android Banking Trojan Disguised As Dating or Government App
Hackers are deploying novel Android malware using an uncommon communication method to steal banking login data from compromised devices primarily in Southeast Asia.
Trend Micro researchers in a Tuesday report call the Trojan MMRat and say it has been active since late June. It uses a data format known as Protocol Buffers for uploading to command and control servers large amounts of stolen data. More commonly known as Protobuf, the open source data format is a method for serializing structured data that’s rarely seen in Android banking Trojans.
MMRat is equipped with capabilities including a keylogger and can “also remotely control victim devices to carry out bank fraud.”
Users download the malware from phishing websites disguised as app stores that target speakers of languages including Vietnamese and Thai. The Trojan comes disguised as a dating or official government app.
MMRat gathers different device and personal information such as signal strength, whether the screen is locked, battery status, user contacts, and installed app specifics.
Once the malware is installed on the victim’s device, and after obtaining necessary app permissions from victims, the Trojan communicates with a remote server to start sending the large amount of data collected from devices.
After executing bank fraud, MMRat uninstalls itself to remove all traces of the malware from the system. Researchers say the malware relies heavily on the Android Accessibility service and MediaProjection API to function properly.
Android Accessibility enables attackers to capture user input and actions. “Unlike other keylogging malware that focuses on specific scenarios, such as logging keys only when the victim is using bank apps, MMRat logs every action operated by users and uploads them to the server via the C2 channel,” researchers say.
The malware abuses an open-source framework called rtmp-rtsp-stream-client-java for using the MediaProjection API and streams video data to the remote server.
This allows it to record the screen and stream real-time video data to a remote server via Real Time Streaming Protocol. Upon receiving the
media_stream command, the malware can record two types of data – screen and camera data.