Marcher

Marcher Android banking malware was first discovered in 2013 targeting mostly Russian Google Play users to steal their credit card details by displaying a false payment information entry page. In 2014, it began targeting German bank users after adding banking credential theft to its capabilities. Marcher is spread through phishing campaigns, malicious links in SMS texts, and pornography sites. The malware targets all current versions of Android and is sold on underground forums as malware-as-a-service. Once it has infected the device, Marcher will take an inventory of the current apps on the device, searching for one the malware exploits. Currently, Marcher mainly exploits Australian and German banks but also targets PayPal as well. The malware will spoof the login page for the apps in order to steal users' credentials. Additionally, the newest version is able to bypass two-factor authentication by stealing the SMS texts sent to the device.

In January 2017, Marcher reportedly posed as the popular game Super Mario Run, stealing financial account information and credit card numbers from consumers who attempted to download the app from third-party sites. The app available through the official Google Play store was not affected and did not contain the malicious code.

In June 2017, researchers at Zscaler Threatlabz discovered a new version of Marcher disguising itself as an Adobe Flash Player Update. Once installed, the malware removes its own icon from the phone and registers the infected device with its C2 server. This version of Marcher spoofs various applications by displaying overlays designed to capture sensitive information. According to ZDNet, some of the apps targeted by Marcher include: Citibank, TD Bank, PayPal, Gmail, Facebook, Walmart, Amazon, and Western Union.

Reporting

• November 2017: Since January 2017, used in campaign targeting customers of Austrian banks. Fake banking application actually downloads Marcher. (Proofpoint)
• June 2017: Beware this Android banking malware posing as a software update. (ZDNet)
• January 2017: Attackers created a fake “Super Mario Run” app for Android that infects users with the Marcher Trojan. Once it is downloaded, the Trojan overlays the app with a fake login page used to steal the user’s credentials. (Graham Cluley)
• December 2016: A new campaign is targeting users in Poland and Germany, first infecting devices with the ISFB/Gozi banking Trojan and then infecting it with the Marcher Android banking Trojan. (X-Force)
• August 2016: Marcher Trojan began (or was observed) targeting Android users through a fake Google warning with a malicious link to update their device’s firmware. (Zscaler)
• June 2016: Marcher Mobile Bot Adds UK Targets, Steps Up Banking Fraud Capabilities. (Security Intelligence)
• March 2016: Marcher delivering malware through fake pornography downloads. (SCMagazine)
• March 2016: Marcher using Adobe Flash to trick users to become infected. (eWeek)
• December 2015: Marcher infecting users through SMS text link. (Gizmodo)

Technical Details

• Checkpoint provides additional technical details, available here.
• Researchers at Trend Micro provide technical analysis of Marcher here.
• Zscaler provides technical analysis of Marcher here.