Performance-Enhanced Android MMRat Scurries Onto Devices via Fake App Stores

The stealthy Trojan targets users in Southeast Asia, allowing attackers to remotely control devices to commit bank fraud.

A newly detected
Android Trojan
with performance enhancements for transferring large amounts of data is infecting user devices through fake app stores, allowing operators to take over control of devices to commit bank fraud.
Dubbed MMRat for its package name, the Trojan has been targeting mobile users in Southeast Asia since late June, researchers from Trend Micro revealed
in a blog post
Aug. 29. MMRat often masquerades as an official government or dating app on a fake but convincing-looking app store, then after download and launch, presents a phishing website to victims to gain access to credentials and personal data.
The malware, which loads as
com.mm.user
, can capture user input and screen content, and also allow attackers to remotely control victim devices through various techniques. Ultimately, the goal of the
RAT
is to steal from users bank accounts using their credentials and personal data.
MMRat also features a rare performance enhancement that uses a special customized command-and-control (C2) protocol based on protocol buffers (aka Protobuf), the researchers noted.
This feature, which is rarely seen in Android banking Trojans, enhances its performance during the transfer of large volumes of data, according to the post.
Most of the samples of MMRat that researchers analyzed were from a series of similar-looking phishing websites masquerading as official app stores in various languages depending on the targeted user base. However, researchers are unclear of exactly how attackers distributed the phishing links to victim devices, they said.
Once its installed, MMRat requests permissions from users that, once granted, allow it to access key data and functionality on the device. Once it does, it starts send data about the device — such as device status, personal data, and keylogging data — back to the remote server.
One of these initial activities is to target the victims contact and installed app list for collection, which is likely so attackers can uncover personal information to ensure the victim fits a specific profile.
For instance, the victim may have contacts that meet certain geographical criteria or have a specific app installed, according to Trend Micro. This information can then be used for further malicious activities.
The Trojan relies heavily on two
Android features
— Android Accessibility service to establish a connection with an attacker-controlled server for remote control and the MediaProjection API — to function properly. Key capabilities include capturing user input and screen content as well as remotely controlling the devices of its victims.
An additional feature of MMRat allows the threat actor to wake up the device remotely when its not in use, unlock the screen, and perform bank fraud using victim credentials. Concurrently, the threat actor can also initiate screen capturing for server-side visualization of the device screen, according to the post.
Once its up and running, MMRat then uninstalls itself, removing all traces of the malware from the system.
Android-targeted
banking Trojans
and other
malware
continue to be a persistent problem on the mobile platform, and require some diligence on the part of users to avoid being compromised.
Moreover, MMRat, like other Android malware
GigabudRat
and
Vultur
before it, has evasion tactics that make it difficult to detect, with the Trojan flying under the radar with no detections on VirusTotal so far at the time the blog was posted, the researchers noted.
Considering that MMRat is distributed via phishing websites posing as official app stores, Trend Micro recommends that users only download apps from official sources such as Google Play Store or Apple App Store.
Android users also should regularly update device software to install any security enhancements that protect against new threats like MMRat. Further, they also should be wary of granting accessibility permissions to any app they install, as MMRat exploits Androids Accessibility service to carry out its malicious activities.
Any mobile device user also should
maintain vigilance
when divulging personal and banking information online or with any apps on their device, as malware like MMRat is designed to use this data to commit bank fraud.
Finally, installing a reputable security solution on an Android device also can help detect and remove threats before they can cause harm.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Performance-Enhanced Android MMRat Scurries Onto Devices via Fake App Stores