Detailing the complexity of this communication method, Trend Micro noted, “The C&C protocol, in particular, is unique due to its customization based on Netty (a network application framework) and the previously-mentioned Protobuf, complete with well-designed message structures. For C&C communication, the threat actor uses an overarching structure to represent all message types and the ‘oneof’ keyword to represent different data types.”
Despite its sophistication, the deceptive apps housing MMRat tend to request permissions for Android’s Accessibility Service. This behavior serves as a typical red flag and a clear indicator of malicious intent. Denying these permissions renders the malware powerless, highlighting the importance of user vigilance in safeguarding mobile devices from evolving threats.