The latest Marcher malware combines three security threats into a single, well designed campaign. Thought DoubleLocker was cool? Say hello to the new malware strain. Security researchers from Proofpoint revealed that the new and evolved Marcher malware combines phishing, credit card data theft, and banking trojan into one multi-step scheme putting Android banking customers at risk.
Hackers have long combined phishing with malware, however, the use of three techniques in one campaign reflects the sophistication of the criminals behind this campaign. Phishing is often used to deliver the malware itself. Android Marcher trojan, that has remained active since 2013, infects targets through phishing using fake software / security updates and fake apps. The malware is then dropped on the victim's device after which Marcher tries to steal credit card information.
Marcher Android banking trojan - how the latest campaign works
In their research, Proofpoint said that the latest campaign targets customers of Austrian banks and has been active since January. Here's how it works:
While previously, Marcher was distributed through SMS, in this campaign the malicious link to malware was dropped in emails. The link is shortened to avoid detection.Leading to a phishing site of the user's bank, it asks for user's banking credentials.The login page then demands victim's phone number and email address.They are then told to download the bank's app, showing a prompt for a fake app.It also guides the victim to allowUnknown sourcesfrom settings to let this fake app to install and enableDevice Adminprivileges following the installation.
The app (that was downloaded by 7% of the visitors) finally drops the Marcher banking trojan.
This trojan demands several permissions and gets privileges to:
Read/write to external storageAccess locationRead, write and send SMS messages (could be used for paid SMS)Initiate a phone call without going through the Dialer user interface (again, could cost)Contacts dataTo force the device to lockChange Wi-Fi connectivity state, and other similarly excessive permissions.
After receiving banking login data, email and phone data, and excessive permissions, the trojan then demands users to enter their credit card number whenever they open Google Play Store or other apps, basically managing to steal everything-financial from the user.
In this latest campaign, attackers used shortened URLs, copied the user interface of the targeted bank's website and app, used a legitimate looking icon after the app was installed, and even used top-level domains (if the bank used .info, they used .gdn) to trick users into believing it was indeed their bank.
"As we use mobile devices to access the web and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here," Proofpoint wrote in its research. "As on the desktop, mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites."
zpostcode
Recruit
weather
mreligion
Yellowpages
sport
constellation
shopping
name
game
directory
literature
Word
tour
furnish
Lottery
tftnews
lyrics
News
digital
car
dir
Edu
Finance
