Cybersecurity researchers from Trend Micro recently discovered a new mobile trojan that leverages an innovative communication method.
Called protobuf data serialization, the method makes it better at stealing sensitive data from the compromised endpoints.
In its report, Trend Micro says it first spotted the malware in June 2023, mostly targeting users in Southeast Asia. The researchers dubbed it MMRat, and said that when it was first spotted, VirusTotal and similar AV scanning services were not detecting it as malicious.
MMRat is capable of a wide variety of malicious activity, from harvesting network, screen, and battery data, to stealing contact lists; from keylogging to grabbing real-time screen content, and from recording and live-streaming camera data, to recording and dumping screen data in text forms. Finally, MMRat can uninstall itself if necessary.
The ability to grab real-time screen content requires efficient data transmission, which is where the protobuf protocol shines. Apparently, this is a custom protocol for data exfiltration, using different ports and protocols for exchanging data with the C2.
"The C&C protocol, in particular, is unique due to its customization based on Netty (a network application framework) and the previously-mentioned Protobuf, complete with well-designed message structures," Trend Micro said in its report. "For C&C communication, the threat actor uses an overarching structure to represent all message types and the "oneof" keyword to represent different data types."
The researchers have found the malware hidden in in fake mobile app stores, posing as government, or dating, apps. While they described the entire effort as “sophisticated”, it’s worth mentioning that the apps still ask for permissions for Android's Accessibility Service - a usual red flag and a clear indication that the app is malicious.
At the end of the day, if the victims decline to grant these permissions, the malware is rendered useless.
Check out the best malware removal right now