Marcher Android Banking Trojan Makes a Comeback!

The latest Marcher malware combines three security threats into a single, well designed hunting expedition. Thought DoubleLocker was cool? Say howdy to the unaccustomed malware strain. Security researchers from Proofpoint revealed that the new and evolved Marcher malware combines phishing, credit card data theft, and banking trojan into one multi-step scheme putting Humanoid banking customers at risk.

Hackers have long combined phishing with malware, however, the use of three techniques in one campaign reflects the sophistication of the criminals behind this campaign. Phishing is ofttimes secondhand to deliver the malware itself. Android Marcher trojan, that has remained active since 2013, infects targets direct phishing using fake computer software / security updates and fake apps. The malware is then born along the victim's device after which Marcher tries to steal credit card information.

Marcher Android banking trojan - how the latest campaign works

In their research, Proofpoint said that the latest fight targets customers of Austrian banks and has been active since January. Here's how it works:

While antecedently, Marcher was distributed through and through SMS, in this campaign the malicious link to malware was born in emails. The link is shortened to avoid detection.
Leading to a phishing site of the user's bank, it asks for user's banking credentials.
The login page and then demands dupe's phone number and email address.
They are and so told to download the rely's app, showing a fast for a artificial app.
IT also guides the victim to allowUnknown sourcesfrom settings to let this FALSE app to install and enableGimmick Adminprivileges following the installation.
The app (that was downloaded by 7% of the visitors) finally drops the Marcher banking trojan.

This trojan demands several permissions and gets privileges to:

Show/write to extraneous storage
Memory access location
Read, write and send SMS messages (could be old for paid SMS)
Initiate a telephone call without sledding through and through the Dialer user interface (again, could cost)
Contacts data
To force the device to shut away
Change Wi-Fi connectivity state, and another similarly excessive permissions.

Later on receiving banking login information, email and phone data, and excessive permissions, the Trojan then demands users to enter their accredit card figure whenever they capable Google Wager Store or unusual apps, essentially managing to steal away everything-financial from the user.

In this fashionable push, attackers used sawn-off URLs, copied the interface of the targeted bank's website and app, ill-used a legitimate looking icon later the app was installed, and even used crowning-level domains (if the trust used .info, they used .gdn) to illusion users into believing it was so their bank.

"As we exercise mobile devices to access the entanglement and phishing templates reach mobile environments, we should carry to see a greater kind of integrated threats like the system we detail here," Proofpoint wrote in its enquiry. "As on the desktop, mobile users need to be upon one's guard of installing applications from outside of legitimate app stores and sources and be connected the lookout for bogus banking sites that necessitate for more information than users would normally provide along legitimate sites."