Innovative Android Malware Exploits Unconventional Data Theft Approach

Trend Micro, a reputable cybersecurity research entity, has recently unveiled a distinct strain of mobile trojan that employs an atypical communication technique to discreetly gather sensitive data from compromised devices. Using a novel protobuf data serialization approach, the virus is much more effective at gathering essential data from its target endpoints.

The "MMRat" malware, named by Trend Micro researchers, first appeared in June 2023, primarily targeting Southeast Asian victims. It's interesting to note that upon its initial detection, popular antivirus scanning services like VirusTotal failed to flag it as harmful, highlighting its complex architecture.

MMRat boasts extensive malicious functionalities, ranging from data aggregation to covert operations. Its multifaceted toolkit includes capturing network, screen, and battery data, extracting contact lists, logging keystrokes, seizing real-time screen content, recording and streaming live camera data, and even uninstalling itself when required.


One of MMRat's standout features is its real-time screen content-capturing capacity, which depends on quick and smooth data transmission. Here, the protobuf protocol assumes a prominent position and becomes essential to the smooth running of the malware. The virus uses a unique data exfiltration protocol and a variety of ports and protocols to enable data interchange with the authorized command and control (C2) server.

Trend Micro's comprehensive report highlights the uniqueness of the C&C protocol, intricately constructed around the Netty network application framework and the Protobuf protocol. This customized architecture encompasses well-structured message formats, incorporating the "oneof" keyword to proficiently handle diverse data types within a unified structure.

The stealthy activities of the infection frequently find refuge in phony mobile app shops posing as official government or dating applications. Significantly, a significant signal is revealed through permission requests despite the sophistication of these deceitful efforts. These malicious apps request permission to use Android's Accessibility Service, which is a blatant sign of their evil intentions. The good news is that users who use care and decline these permission requests effectively neutralize the malware's influence and prevent its potential for harm.


In conclusion, the discovery of MMRat underscores the evolving landscape of mobile trojans. Its strategic utilization of the protobuf data serialization technique to augment data theft capabilities signifies a pivotal shift towards intricate and sophisticated tactics employed by cybercriminals.

Users must maintain caution and skepticism when granting rights to programs, even those that initially seem innocuous, in an age marked by developing security measures and detection techniques. Malicious actors and cybersecurity professionals are still at odds, with the latter working nonstop to outsmart the former's cutting-edge tactics for securing the digital sphere.

Read next: Apple's Hacking Adventure of 130+ iOS Bugs Unearthed with a Little iPhone Magic
Previous Post Next Post