Marcher Android banking malware was first discovered in 2013 targeting mostly Russian Google Play users to steal their credit card details by displaying a false payment information entry page. In 2014, it began targeting German bank users after adding banking credential theft to its capabilities. Marcher is spread through phishing campaigns, malicious links in SMS texts, and pornography sites. The malware targets all current versions of Android and is sold on underground forums as malware-as-a-service. Once it has infected the device, Marcher will take an inventory of the current apps on the device, searching for one the malware exploits. Currently, Marcher mainly exploits Australian and German banks but also targets PayPal as well. The malware will spoof the login page for the apps in order to steal users' credentials. Additionally, the newest version is able to bypass two-factor authentication by stealing the SMS texts sent to the device.


  • January 2017: Attackers created a fake “Super Mario Run” app for Android that infects users with the Marcher Trojan. Once it is downloaded, the Trojan overlays the app with a fake login page used to steal the user’s credentials. (Graham Cluley)
  • December 2016: A new campaign is targeting users in Poland and Germany, first infecting devices with the ISFB/Gozi banking Trojan and then infecting it with the Marcher Android banking Trojan. (X-Force)
  • August 2016: Marcher Trojan began (or was observed) targeting Android users through a fake Google warning with a malicious link to update their device’s firmware. (Zscaler)
  • March 2016: Marcher delivering malware through fake pornography downloads. (SCMagazine)
  • March 2016: Marcher using Adobe Flash to trick users to become infected. (eWeek)
  • December 2015: Marcher infecting users through SMS text link. (Gizmodo)

Technical Details

  • Checkpoint provides additional technical details, available here.

Infection as of June 2, 2016. Image Source - Softpedia