Marcher Android banking malware was first discovered in 2013 targeting mostly Russian Google Play users to steal their credit card details by displaying a false payment information entry page. In 2014, it began targeting German bank users after adding banking credential theft to its capabilities. Marcher is spread through phishing campaigns, malicious links in SMS texts, and pornography sites.


PluginPhantom is an Android banking Trojan discovered by Palo Alto Networks in November 2016 and believed to be the successor to the Trojan “Android.Trojan.Ihide.” The Trojan utilizes the “DroidPlugin” framework to infect users’ devices and steal files, location data, contacts, WiFi information, and can log keystrokes, take pictures, capture screenshots, record audio, and intercept and send SMS messages.