{
	"id": "33e5c185-31e6-4b0d-ac50-8bf9ec220b87",
	"created_at": "2026-04-06T00:07:31.967325Z",
	"updated_at": "2026-04-10T03:22:08.132341Z",
	"deleted_at": null,
	"sha1_hash": "5968860caf19724ef57e4e7b8fe715fb5de8ad04",
	"title": "MMRat Carries Out Bank Fraud Via Fake App Stores",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1578960,
	"plain_text": "MMRat Carries Out Bank Fraud Via Fake App Stores\r\nBy By: Trend Micro Research Aug 29, 2023 Read time: 8 min (2290 words)\r\nPublished: 2023-08-29 · Archived: 2026-04-05 17:19:03 UTC\r\nMobile\r\nStealthy Android Malware MMRat Carries Out Bank Fraud Via Fake App Stores\r\nThe Trend Micro Mobile Application Reputation Service (MARS) team discovered a new, fully undetected\r\nAndroid banking trojan, dubbed MMRat, that has been targeting mobile users in Southeast Asia since late June\r\n2023.\r\nThe Trend Micro Mobile Application Reputation Service (MARS) team discovered a new, fully undetected\r\nAndroid banking trojan, dubbed MMRat (detected by TrendMicro as AndroidOS_MMRat.HRX), that has been\r\ntargeting mobile users in Southeast Asia since late June 2023. The malware, named after its distinctive package\r\nname com.mm.user, can capture user input and screen content, and can also remotely control victim devices\r\nthrough various techniques, enabling its operators to carry out bank fraud on the victim’s device.\r\nFurthermore, MMRat uses a special customized command-and-control (C\u0026C) protocol based on protocol buffers\r\n(aka Protobuf), an open-source data format used for serializing structured data. This feature, which is rarely seen\r\nin Android banking trojans, enhances its performance during the transfer of large volumes of data.\r\nDistribution analysis\r\nOur analysis reveals that most MMRat samples are downloaded from a series of similar phishing websites\r\ndisguised as official app stores. These websites primarily differ in language, which indicates the target victims of\r\nMMRat’s operators. However, the exact method by which these phishing links reach the victim’s devices remains\r\nunclear.\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 1 of 10\n\nopen on a new tab\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 2 of 10\n\nFigure 1. Examples of app store pages in Vietnamese and Thai, containing text that mentions app\r\ninstallation tips. The second screenshot is spoofing a Thai government entity.\r\nAt the time of writing, the malware has managed to remain entirely undetected on VirusTotal, demonstrating that\r\nthe techniques used to allow it to remain under the radar have been successful. Similar malware, such as\r\nGigabudRat and Vultur, which also exploit similar techniques such as keylogging and screen capturing, achieve\r\nnotable anti-evasion results during their attack stages\r\nHow MMRat is used in bank fraud\r\n1. The MMRat attack sequence:\r\n2. The victim downloads and installs MMRat.\r\n3. The victim grants MMRat the necessary permissions.\r\n4. MMRat starts to communicate with the remote server and sends a large amount of data that includes device\r\nstatus, personal data, and keylogging data.\r\n5. When the target device isn’t being used, the threat actor can wake up the device remotely, unlock the\r\nscreen, and perform bank fraud. Concurrently, the threat actor can also initiate screen capturing for server-side visualization of the device screen.\r\n6. In the final step, MMRat uninstalls itself, removing all traces of the malware from the system.\r\nAnalysis of MMRat\r\nAs previously mentioned, MMRat is capable of capturing user input, screen content and remotely controlling the\r\ndevices of its victims. It relies heavily on Android Accessibility service and MediaProjection API to function\r\nproperly.\r\nImpersonation and persistence routine\r\nTo avoid suspicion, MMRat often masquerades as an official government or dating app, then presents a phishing\r\nwebsite to victims upon being launched. Subsequently, it registers a receiver that can receive system events,\r\nincluding the ability to detect when the system switches on and off, and reboots, among others. Upon the receipt\r\nof these events, the malware launches a 1x1-sized pixel activity to ensure its persistence.\r\nNetwork communication with remote server\r\nUpon initiating the Accessibility service, MMRat establishes a connection with an attacker-controlled server.\r\nNotably, MMRat employs different ports on a single server for different functions:\r\nPort Protocol Description\r\n8080 HTTP Data exfiltration\r\n8554 RTSP RTSP video streaming\r\n8887 Customized Command and Control\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 3 of 10\n\nTable 1. The ports used by MMRat on a single server\r\nThe C\u0026C protocol, in particular, is unique due to its customization based on Netty (a network application\r\nframework) and the previously-mentioned Protobuf, complete with well-designed message structures.\r\nFor C\u0026C communication, the threat actor uses an overarching structure to represent all message types and the\r\n“oneof” keyword to represent different data types. We have meticulously reconstructed the major Protobuf\r\nschemas utilized in the C\u0026C communication, as shown in Figure 3.\r\nThe “PackType” is an enum structure that can be used to represent C\u0026C commands, while the “pack” field\r\ncontains detailed data corresponding to different C\u0026C commands.\r\nTable 2 shows the defined C\u0026C commands used by the malware and their corresponding descriptions. Since it\r\ninvolves bidirectional communication, we have divided the C\u0026C commands into server commands and client\r\ncommands. Server commands are sent to client, while client commands are sent to the server.\r\nName Type Description\r\nLOGIN_ADMIN N/A N/A\r\nTOUCH Server Execute gesture\r\nACCESSIBLE_GLOBAL Server Use accessibility to perform global action\r\nINPUT_TEXT Server Set text of focused node\r\nLAYOUT_SHOW (2) Server Enable/disable user terminal state\r\nREQUEST_PERMISSION N/A N/A\r\nUSER_TERMINAL_STATE Client Send UserState message to remote server\r\nOPERATIONAL_LOG Client Send keylogging data to remote server\r\nUNLOCK_SCREEN Server Unlock screen via stolen password\r\nINPUT_PASSWORD Server Input password for WeChat and Zhifubao\r\nCLICK_TEXT Server Click node\r\nOPEN_BLACK_MASK Server Set its view as visible/invisible\r\nLAYOUT_READER Client Send dumped node info to remote server\r\nPING Client Ping heartbeat\r\nPONG Client Pong heartbeat\r\nMEDIA_STREAM (2) Server Start capture screen or camera video\r\nMICROPHONE Server Set microphone status while record screen\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 4 of 10\n\nUNINSTALL_APP Server Uninstall itself\r\nWAKE_UP_DEVICE Server Wakeup device\r\nAPP_OPT Server Show/hide icon\r\nTable 2. MMRat C\u0026C commands and their descriptions\r\nCollection of device status and personal information\r\nMMRat collects a wide range of device status and personal data, including network data, screen data, battery data,\r\ninstalled apps, and contact lists.\r\nNetwork data includes information such as signal strength and network type.\r\nScreen data includes information on whether the screen is locked, the app currently in use, and the activity\r\nthat is currently displayed on the screen.\r\nBattery data provides information about the device's battery status.\r\nContacts includes the user's contact list.\r\nInstalled apps includes apps installed on the device.\r\nTo collect this data in a timely manner, MMRat schedules a timer task that executes every second while also using\r\na counter that resets every 60 seconds to determine when different tasks are executed.\r\nopen on a new tab\r\nFigure 5. The timer task used to execute different tasks according to the counter\r\nMMRat specifically targets the victim’s contact and installed app list for collection. We believe the goal of the\r\nthreat actor is to uncover personal information to ensure the victim fits a specific profile. For instance, the victim\r\nmay have contacts that meet certain geographical criteria or have a specific app installed. This information can\r\nthen be used for further malicious activities.\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 5 of 10\n\nopen on a new tab\r\nFigure 6. Collecting and uploading the victim’s contact list and installed apps details\r\nAutomatic permission approval\r\nOnce Accessibility permission is granted, MMRat can abuse it to grant itself other permissions and modify\r\nsettings. For example, in the previous data collection phase, MMRat can automatically grant itself the\r\nREAD_CONTACTS permission to collect contact data.\r\nThe code snippet in Figure 4 shows how MMRat can automatically obtain permissions. It achieves this by\r\nlaunching the system dialog and automatically approving incoming permission requests. The automatic approval\r\nfunction is implemented by finding an “ok” or related keyword on the screen and using Accessibility to simulate\r\nclicking. This means that MMRat can bypass user intervention and grant itself the necessary permissions to\r\nperform its malicious activities.\r\nopen on a new tab\r\nFigure 8. Keywords such as “ok” and other similar words and phrases\r\nActions and capturing user inputs\r\nMMRat abuses the Accessibility service to capture user input and actions via keylogging. This data could be used\r\nto obtain the victim’s credentials and record the victim’s actions for later replay on the device.\r\nUnlike other keylogging malware that focus on specific scenarios, such as logging keys only when the victim is\r\nusing bank apps, MMRat logs every action operated by users and uploads them to the server via the C\u0026C channel.\r\nIt appears that the threat actor behind MMRat wants to collect a large amount of action logs from the victim to\r\ndetermine the malware’s next steps.\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 6 of 10\n\nopen on a new tab\r\nFigure 9. Logging user actions and uploading them to the C\u0026C server\r\nEach log is a LogInfo structure, serialized via Protobuf.\r\nmessage LogInfo {\r\n        string packageName = 1; \r\n        string className = 2;\r\n        string content = 3;\r\n}\r\nIn addition to conventional keylogging, the malware has a particular interest in the lock screen pattern. If it detects\r\nthat the user is unlocking the device, the malware collects the pattern value and uploads it to the server through its\r\nC\u0026C channel. This allows the threat actor to gain access to the victim’s device even when it is locked.\r\nCapturing screen content\r\nMMRat can capture real-time screen content of the victim’s device and stream the content to a remote server. To\r\ncapture the screen content, the malware relies primarily on the MediaProjection API to record the victim’s screen.\r\nHowever, we also found that the malware uses another method to acquire screen content and bypass\r\nFLAG_SECURE protection, referred to as “user terminal state” by the malware.\r\nBased on our observations, we believe the screen content capturing capability is used in conjunction with remote\r\ncontrol functions so the threat actor can view the device’s live status while performing bank fraud. Rather than\r\ncapturing credentials, we found that the malware will constantly check for commands and will stop screen content\r\nstreaming if no commands are received within 30 seconds.\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 7 of 10\n\nopen on a new tab\r\nFigure 11. Stopping screen content streaming if no commands are received\r\nAndroid MediaProjection API\r\nTo conveniently use the MediaProjection API and stream video data to the remote server, MMRat abuses an open-source framework called rtmp-rtsp-stream-client-java. This allows it to record the screen and stream real-time\r\nvideo data to a remote server via Real Time Streaming Protocol (RTSP). Upon receiving the MEDIA_STREAM\r\ncommand, MMRat can record two types of data – screen and camera data, according to the issued configuration.\r\nFor example, when recording screen data, MMRat launches an activity called DisplayActivity. This activity\r\nrequests recording permission by calling createScreenCaptureIntent, which triggers a system dialog popup to\r\ngrant permissions. As previously mentioned, the system dialog is automatically approved via auto-clicking.\r\nopen on a new tab\r\nFigure 12. Requesting permission and screen recording (once granted)\r\nOnce the recording request is approved, MMRat begins recording the screen and streams the data to the C\u0026C\r\nserver by calling the API startStream provided by the open-source framework repository.\r\nUser terminal state\r\nThe so-called “user terminal state” approach to capturing screen content is quite different from the method that\r\nemploys MediaProjection API. As the name suggests, MMRat doesn’t record the screen as a video. Instead, it\r\nabuses the Accessibility service to recursively dump all child nodes in windows every second and upload the\r\ndumped data via the C\u0026C channel. Consequently, the result only includes text information without a graphical\r\nuser interface, therefore resembling a “terminal”.\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 8 of 10\n\nopen on a new tab\r\nFigure 14. Dumping all window and traverse root nodes to get all child nodes recursively\r\nAlthough the approach is somewhat crude and requires additional work from the threat actor on the server side to\r\nreconstruct the data, it effectively collects the desired information for remote inspection and control (for example,\r\nnode info for clicking and inputting). Since this approach does not rely on the MediaProjection API, it can bypass\r\nthe protection of FLAG_SECURE, a flag that can be added to window parameters to prevent screenshots and\r\nscreen recordings.\r\nMoreover, the use of Protobuf and customized protocols based on Netty enhances performance. This is\r\nparticularly beneficial when transferring large amounts of screen data in a timely manner, providing the threat\r\nactor with an effect similar to a video stream.\r\nRemote controlling\r\nThe MMRat malware abuses the Accessibility service to remotely control the victim’s device, performing actions\r\nsuch as gestures, unlocking screens, and inputting text, among others. This can be used by threat actors — in\r\nconjunction with stolen credentials — to perform bank fraud.\r\nAs outlined in the “How MMRat performs bank fraud” section, we believe that even before executing its remote\r\naccess routine, MMRat executes several preliminary steps for user evasion:\r\n1. Wakeup: The malware leverages the Accessibility service to simulate a double-click on the screen to wake\r\nthe device.\r\n2. Unlock screen: The malware uses previously-stolen unlock patterns to unlock the screen.\r\nFinally, MMRat can control the device remotely while the victims are not actively using their phones.\r\nHiding tracks\r\nThe MMRat malware possesses the capability to delete itself upon receiving the C\u0026C command\r\nUNINSTALL_APP. This behavior usually takes place after the execution of bank fraud, making it more difficult to\r\ntrace its activities.\r\nConclusion and recommendation\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 9 of 10\n\nMMRat is a potent Android banking trojan that poses a considerable threat to mobile users, particularly in\r\nSoutheast Asia. Its key capabilities, which includ keylogging, screen recording, and remote control access, enables\r\nit to execute bank fraud effectively and efficiently.\r\nTo protect against this malware, users are advised to:\r\n1. Only download apps from official sources. MMRat is often downloaded from phishing websites posing as\r\nofficial app stores. Always use trusted platforms such as Google Play Store or Apple App Store.\r\n2. Regularly update device software. Updates often include security enhancements that protect against new\r\nthreats like MMRat.\r\n3. Be cautious of granting accessibility permissions. MMRat exploits Android's Accessibility service to carry\r\nout its malicious activities. Always scrutinize the permissions requested by apps.\r\n4. Install a reputable security solution on your device. This can help detect and remove threats before they can\r\ncause harm.\r\n5. Be vigilant with your personal and banking information. MMRat's goal is to commit bank fraud, so be\r\ncautious about the information you share online and the data you provide to your personal apps.\r\nTrend is part of Google’s App Defense Alliance (ADA), which enhances user security by detecting malicious apps\r\nprior to their release on the Google Play store. As part of this alliance, Trend, in partnership with Google, helps\r\nprotect users from malicious actors, keeping the world safer for exchanging digital information.\r\nIndicators of Compromise\r\nThe complete indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nhttps://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/h/mmrat-carries-out-bank-fraud-via-fake-app-stores.html"
	],
	"report_names": [
		"mmrat-carries-out-bank-fraud-via-fake-app-stores.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434051,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5968860caf19724ef57e4e7b8fe715fb5de8ad04.pdf",
		"text": "https://archive.orkl.eu/5968860caf19724ef57e4e7b8fe715fb5de8ad04.txt",
		"img": "https://archive.orkl.eu/5968860caf19724ef57e4e7b8fe715fb5de8ad04.jpg"
	}
}