Beware the Fake Apps: MMRat Trojan’s Silent Invasion in Southeast Asia

Reading Time: ( Word Count: )

August 30, 2023

Cybersecurity experts have recently uncovered a novel mobile trojan that uses a unique method of communication.

This technique, termed as protobuf data serialization, enhances its capability to illicitly extract sensitive data from the targeted systems.

The report reveals that the malware, which they have named MMRat, first came to their attention in June 2023. The primary victims seem to be users in Southeast Asia. What’s notable is that when MMRat was initially detected, scanning platforms like VirusTotal did not recognize it as a threat.

MMRat boasts an extensive range of malicious capabilities. It can extract data related to the network, screen, and battery. Furthermore, it can pilfer contact lists, engage in keylogging, capture screen content in real-time, record and broadcast camera data, and even document screen data in textual formats. If needed, MMRat possesses the ability to delete itself.

Also Read: Deceptive AI Software Ads on Facebook: A Rising Cybersecurity Threat

Its feature to capture screen content in real-time stands out due to the need for high-speed data transfer, and this is where the prowess of the protobuf protocol comes into play. This custom protocol, designed specifically for data exfiltration, employs various ports and protocols to communicate with its command center.

MMRat Trojan's Silent Invasion

Highlighting its unique nature, the expert stated, “The command & control protocol stands out due to its tailored approach, built upon Netty (a network application framework) and the afore-mentioned Protobuf, enriched with meticulously crafted message structures. The communication with the command center is characterized by a comprehensive structure representing all message genres and the ‘oneof’ keyword specifying diverse data forms.”

The malevolent software was discovered masquerading on counterfeit mobile app platforms, often imitating government or dating applications. Though the level of sophistication in this malware is significant, it’s essential to note that these apps still request permissions from Android’s Accessibility Service – a common tell-tale sign of malicious intent.

Ultimately, the malware’s success is contingent upon the victim granting these permissions. If denied, MMRat becomes ineffective.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *