Trend Micro’s cybersecurity researchers recently discovered a new mobile Trojan that leverages an innovative communication method.
Called protobuf data serialization, the method improves the theft of sensitive data from compromised endpoints.
In his relationship, Trend Micro says it first spotted the malware in June 2023, primarily targeting users in Southeast Asia. The researchers dubbed it MMRat and said that when it was first spotted, VirusTotal and similar AV scanning services didn’t detect it as malicious.
MMRat is capable of a wide variety of malicious activities, from collecting network, screen and battery data, to stealing contact lists; from keylogging to real-time screen capture and recording and live streaming of camera data, to logging and dumping of screen data into text modules. Finally, MMRat can uninstall itself if needed.
The ability to capture screen content in real time requires efficient data transmission, and this is where the protobuf protocol shines. This is apparently a custom data exfiltration protocol, using different ports and protocols to exchange data with the C2.
“The C&C protocol, in particular, is unique due to its customization based on Netty (a network application framework) and the aforementioned Protobuf, complete with well-designed message structures,” Trend Micro said in its report. “For C&C communication, the threat actor uses a general structure to represent all message types and the ‘oneof’ keyword to represent different data types.”
Researchers found the malware hidden in fake mobile app stores, posing as government or dating apps. While they’ve described the entire effort as “sophisticated,” it’s worth mentioning that the apps still request permissions for Android’s Accessibility Service — a normal wake-up call and a clear indication that the app is malicious.
Eventually, if the victims refuse to grant these permissions, the malware becomes unusable.
Through: Sleeping computer