New Android Banking Trojan Targets Southeast Asia RegionAndroid Banking Trojan Disguised as Dating or Government App
Hackers are deploying novel Android malware using an uncommon communication method to steal banking login data from compromised devices primarily in Southeast Asia.
Trend Micro researchers in a Tuesday report called the Trojan MMRat and said it has been active since late June. It uses a data format known as Protocol Buffers for uploading to command-and-control servers large amounts of stolen data. More commonly known as Protobuf, the open-source data format is a method for serializing structured data that's rarely seen in Android banking Trojans.
MMRat is equipped with capabilities including a keylogger, and it can "remotely control victim devices to carry out bank fraud."
Users download the malware from phishing websites disguised as app stores that target speakers of languages including Vietnamese and Thai. The Trojan comes disguised as a dating or official government app.
MMRat gathers different device and personal information such as signal strength, whether the screen is locked, battery status, user contacts, and installed app specifics.
Once the malware has been installed on the victim's device and necessary app permissions have been obtained from victims, the Trojan communicates with a remote server to start sending the large amount of data collected from devices.
After executing bank fraud, MMRat uninstalls itself to remove all traces of the malware from the system. The researchers said the malware relies heavily on the Android Accessibility service and MediaProjection API to function properly.
Android Accessibility enables attackers to capture user input and actions. "Unlike other keylogging malware that focuses on specific scenarios, such as logging keys only when the victim is using bank apps, MMRat logs every action operated by users and uploads them to the server via the C2 channel," the researchers said.
The malware abuses an open-source framework called rtmp-rtsp-stream-client-java for using the MediaProjection API and streams video data to the remote server.
This allows it to record the screen and stream real-time video data to a remote server via Real Time Streaming Protocol. Upon receiving the
media_stream command, the malware can record two types of data - screen and camera data.