Cybersecurity experts at Trend Micro have unearthed a new mobile trojan that is rewriting the playbook on data theft with an innovative communication technique. Meet “MMRat,” a cunning mobile malware that leverages protobuf data serialization, enabling it to excel in the art of pilfering sensitive data from compromised devices.
Trend Micro first encountered this insidious threat in June 2023, with a notable focus on targeting users in Southeast Asia. Dubbed MMRat by the researchers, it initially flew under the radar, with popular antivirus scanning services like VirusTotal failing to flag it as malicious.
The capabilities of MMRat are nothing short of chilling. From harvesting network, screen, and battery data to pilfering contact lists, conducting keylogging operations, capturing real-time screen content, recording and live-streaming camera data, and even dumping screen data in text formats, MMRat is a formidable adversary in the digital realm. To top it off, the malware possesses a self-destruct mechanism, allowing it to vanish without a trace if the need arises.
The standout feature of MMRat lies in its capacity to capture real-time screen content efficiently, and this is where the protobuf data serialization method comes into play. This custom protocol for data exfiltration operates through a range of ports and protocols, facilitating seamless data exchange with its command and control (C2) server.
Detailing the complexity of this communication method, Trend Micro noted, “The C&C protocol, in particular, is unique due to its customization based on Netty (a network application framework) and the previously-mentioned Protobuf, complete with well-designed message structures. For C&C communication, the threat actor uses an overarching structure to represent all message types and the ‘oneof’ keyword to represent different data types.”
Despite its sophistication, the deceptive apps housing MMRat tend to request permissions for Android’s Accessibility Service. This behavior serves as a typical red flag and a clear indicator of malicious intent. Denying these permissions renders the malware powerless, highlighting the importance of user vigilance in safeguarding mobile devices from evolving threats.
In a digital landscape fraught with dangers, MMRat serves as a stark reminder of the need for robust cybersecurity measures and heightened user awareness. As the battle against cyber threats intensifies, staying informed and proactive remains our best defense.
