Fraud Management & Cybercrime , Social Engineering

New Android Banking Trojan Targets Southeast Asia Region

Android Banking Trojan Disguised as Dating or Government App
New Android Banking Trojan Targets Southeast Asia Region
Image: Shutterstock

Hackers are deploying novel Android malware using an uncommon communication method to steal banking login data from compromised devices primarily in Southeast Asia.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Trend Micro researchers in a Tuesday report called the Trojan MMRat and said it has been active since late June. It uses a data format known as Protocol Buffers for uploading to command-and-control servers large amounts of stolen data. More commonly known as Protobuf, the open-source data format is a method for serializing structured data that's rarely seen in Android banking Trojans.

MMRat is equipped with capabilities including a keylogger, and it can "remotely control victim devices to carry out bank fraud."

Users download the malware from phishing websites disguised as app stores that target speakers of languages including Vietnamese and Thai. The Trojan comes disguised as a dating or official government app.

MMRat gathers different device and personal information such as signal strength, whether the screen is locked, battery status, user contacts, and installed app specifics.

Malware Operation

Once the malware has been installed on the victim's device and necessary app permissions have been obtained from victims, the Trojan communicates with a remote server to start sending the large amount of data collected from devices.

After executing bank fraud, MMRat uninstalls itself to remove all traces of the malware from the system. The researchers said the malware relies heavily on the Android Accessibility service and MediaProjection API to function properly.

Android Accessibility enables attackers to capture user input and actions. "Unlike other keylogging malware that focuses on specific scenarios, such as logging keys only when the victim is using bank apps, MMRat logs every action operated by users and uploads them to the server via the C2 channel," the researchers said.

The malware abuses an open-source framework called rtmp-rtsp-stream-client-java for using the MediaProjection API and streams video data to the remote server.

This allows it to record the screen and stream real-time video data to a remote server via Real Time Streaming Protocol. Upon receiving the media_stream command, the malware can record two types of data - screen and camera data.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.