This sneaky Android malware uses a rare technique to steal banking data

Through protobuf data serialization, Android malware can steal plenty of sensitive data

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from Trend Micro recently discovered a new mobile trojan that leverages an innovative communication method.

Called protobuf data serialization, the method makes it better at stealing sensitive data from the compromised endpoints.

In itsreport, Trend Micro says it first spotted the malware in June 2023, mostly targeting users in Southeast Asia. The researchers dubbed it MMRat, and said that when it was first spotted, VirusTotal and similar AV scanning services were not detecting it as malicious.

MMRat

MMRat is capable of a wide variety of malicious activity, from harvesting network, screen, and battery data, to stealing contact lists; from keylogging to grabbing real-time screen content, and from recording and live-streaming camera data, to recording and dumping screen data in text forms. Finally, MMRat can uninstall itself if necessary.

The ability to grab real-time screen content requires efficient data transmission, which is where the protobuf protocol shines. Apparently, this is a custom protocol for data exfiltration, using different ports and protocols for exchanging data with the C2.

Over 50 Chinese apps banned in fresh crackdown by the Indian government>Windows 11 now has much better protection against brute-force attacks>These are the best firewalls around

“The C&C protocol, in particular, is unique due to its customization based on Netty (a network application framework) and the previously-mentioned Protobuf, complete with well-designed message structures,” Trend Micro said in its report. “For C&C communication, the threat actor uses an overarching structure to represent all message types and the “oneof” keyword to represent different data types.”

The researchers have found the malware hidden in in fake mobile app stores,posingas government, or dating, apps. While they described the entire effort as “sophisticated”, it’s worth mentioning that the apps still ask for permissions for Android’s Accessibility Service - a usual red flag and a clear indication that the app is malicious.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

At the end of the day, if the victims decline to grant these permissions, the malware is rendered useless.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

7 myths about email security everyone should stop believing