HQ/EMEAFind out how we can help your business
The new MMRat malware campaign targets Android mobile banking users in Southeast Asian nations. The Android malware uses a customised command-and-control protocol based on Protobuf to exfiltrate data consistently. Researchers named the MMRat since its package is called ‘com[.]mm[.]user.’
Recent investigations showed that threat actors distribute most MMRat malware samples via phishing sites that impersonate legitimate app stores. The malware campaign uses different languages for every phishing site they use for distributing MMRat to lure more victims in other countries.
In one instance, an investigation found the malware impersonating a dating app or an official government-owned application to execute bank fraud. After successful installation, the app asks the victims to grant necessary phone permissions to complete the malicious plans.
Next, the malware will communicate with an attacker-controlled remote server and send the harvested data from the compromised devices, such as personal details. The last stage of the attack is when the malware terminates itself and wipes its tracks from the infected machine to avoid threat analysis.
The MMRat malware is highly dependent on several features.
The MMRat malware uses the MediaProjection API and Android Accessibility service to function correctly. It could include multiple malicious capabilities, such as recording user input and content on the screen, remotely controlling a targeted device, and executing bank fraud.
Furthermore, the malware operators use anti-detection tactics like Gigabud RAT and Vultur to remain undetected during infection.
Official app stores remain a profitable entity for malicious actors. Recent research showed that thousands of malicious applications use APKs to avoid security checks. Scammers and fraudsters disseminate these malicious APKs through third-party app stores or sideloading techniques through social engineering campaigns.
In a related incident, Android malware, Fake Trade and CherryBlos posed as APK files for social media platforms and other apps to steal user funds and crypto credentials.
Experts advise users to review any applications before installation. Continuously acquire applications from reputable publishers or developers and refrain from downloading unnecessary applications.
