Keypoints
- MMRat (package name com.mm.user, detected as AndroidOS_MMRat.HRX) was discovered in late June 2023 and remains undetected on VirusTotal at the time of reporting.
- Primary distribution is via phishing websites mimicking official app stores localized by language to target victims in specific countries.
- The malware abuses Android Accessibility services and the MediaProjection API to perform keylogging, auto-approve permissions, capture screen content, and execute UI interactions remotely.
- MMRat uses a customized C2 protocol built on Netty and Protocol Buffers (Protobuf) and separates functions across ports 8080 (HTTP data exfiltration), 8554 (RTSP streaming), and 8887 (custom C2).
- It collects and regularly exfiltrates device status, contacts, installed apps, battery/network/screen data, and detailed action logs; it can wake, unlock (using stolen patterns), and control the device to commit bank fraud.
- The malware implements persistence via broadcast receivers and a 1×1 pixel activity, and can uninstall itself via a C2 command to hinder forensic analysis.
- Trend Micro provides a full IOC listing and recommendations, including avoiding unofficial app stores and limiting Accessibility permissions.
MITRE Techniques
- [T1566] Phishing – Distribution via phishing sites: ‘most MMRat samples are downloaded from a series of similar phishing websites disguised as official app stores.’
- [T1204] User Execution – Victim installs malicious app: ‘The victim downloads and installs MMRat.’
- [T1547] Boot or Logon Autostart Execution – Persistence using system events and a 1×1 pixel activity: ‘it registers a receiver that can receive system events… launches a 1×1-sized pixel activity to ensure its persistence.’
- [T1056.001] Input Capture: Keylogging – Captures all user input and lock-screen patterns: ‘MMRat is capable of capturing user input… logs every action operated by users… collects the pattern value and uploads it to the server.’
- [T1113] Screen Capture – Real-time screen recording via MediaProjection API and alternate window-dump technique: ‘MMRat can capture real-time screen content of the victim’s device and stream the content to a remote server… relies primarily on the MediaProjection API.’
- [T1071.001] Application Layer Protocol: Web Protocols – C2 and data transfer using HTTP/RTSP and a custom Protobuf/Netty protocol: ‘uses different ports on a single server for different functions: 8080 HTTP, 8554 RTSP, 8887 Customized… customized command-and-control (C&C) protocol based on protocol buffers.’
- [T1219] Remote Access Tools – Remote control of device (gestures, input, unlocking) to perform fraud: ‘can remotely control victim devices… execute gesture… Unlock screen via stolen password… Input password for WeChat and Zhifubao.’
- [T1041] Exfiltration Over C2 Channel – Exfiltrates device and personal data including keylogs and contacts: ‘sends a large amount of data that includes device status, personal data, and keylogging data.’
- [T1070] Indicator Removal on Host – Hiding tracks by uninstalling itself on command: ‘uninstalls itself, removing all traces of the malware from the system.’
Indicators of Compromise
- [Malware name / detection] detection identifiers – AndroidOS_MMRat.HRX, MMRat
- [Package name] app identifier – com.mm.user
- [C2 / Ports] server functions and protocols – 8080 (HTTP data exfiltration), 8554 (RTSP video streaming), 8887 (custom C2)
- [IOC file / report] full indicator listing – https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores/IOC_stealthy-android-malware-mmrat-carries-out-bank-fraud-via-fake-app-stores.txt
- [Source report] technical write-up – https://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html
MMRat is delivered through localized phishing pages masquerading as official app stores; once the user downloads and launches the APK, it requests Accessibility permissions and registers broadcast receivers to survive reboots, using a 1×1 pixel activity for persistence. After activation it immediately begins a high-frequency data collection loop (timer task executing every second with counters resetting every 60 seconds) to gather network status, battery, screen state, installed apps, and contacts, and it serializes logs (LogInfo via Protobuf) for transfer to its servers.
For remote control and visualization, MMRat establishes connections to attacker-controlled servers and splits functionality across ports (8080 for HTTP exfiltration, 8554 for RTSP streaming, 8887 for custom Protobuf/Netty C2). It abuses the Accessibility service to auto-approve system permission dialogs (searching for “ok”/similar keywords and simulating clicks), capture input (comprehensive keylogging including lock-screen patterns), and perform UI actions (gestures, clicks, input text) to wake, unlock, and operate the device while the user is idle.
Screen content is obtained both via MediaProjection API (using an open-source RTSP/RTMP streaming client and auto-clicked permission grants) and via a “user terminal state” method that recursively dumps window nodes through Accessibility to reconstruct UI text-based views (bypassing FLAG_SECURE). The malicious client can start/stop media streams on command, exfiltrate collected data over its C2 channel, and execute a remote UNINSTALL_APP command to delete itself after operations to hinder investigation.
Read more: https://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html