Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This sneaky Android malware uses a rare technique to steal banking data

Android figurines

Cybersecurity researchers from Trend Micro recently discovered a new mobile trojan that leverages an innovative communication method. 

Called protobuf data serialization, the method makes it better at stealing sensitive data from the compromised endpoints.

In its report, Trend Micro says it first spotted the malware in June 2023, mostly targeting users in Southeast Asia. The researchers dubbed it MMRat, and said that when it was first spotted, VirusTotal and similar AV scanning services were not detecting it as malicious.

MMRat

MMRat is capable of a wide variety of malicious activity, from harvesting network, screen, and battery data, to stealing contact lists; from keylogging to grabbing real-time screen content, and from recording and live-streaming camera data, to recording and dumping screen data in text forms. Finally, MMRat can uninstall itself if necessary. 

The ability to grab real-time screen content requires efficient data transmission, which is where the protobuf protocol shines. Apparently, this is a custom protocol for data exfiltration, using different ports and protocols for exchanging data with the C2.

"The C&C protocol, in particular, is unique due to its customization based on Netty (a network application framework) and the previously-mentioned Protobuf, complete with well-designed message structures," Trend Micro said in its report. "For C&C communication, the threat actor uses an overarching structure to represent all message types and the "oneof" keyword to represent different data types."

The researchers have found the malware hidden in in fake mobile app stores, posing as government, or dating, apps. While they described the entire effort as “sophisticated”, it’s worth mentioning that the apps still ask for permissions for Android's Accessibility Service - a usual red flag and a clear indication that the app is malicious. 

At the end of the day, if the victims decline to grant these permissions, the malware is rendered useless.

Via: BleepingComputer

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.