3-Yr Old Marcher Trojan Uses Porn Sites and Flash Player to Steal Banking Credentials

Rafia Shaikh
Posted Mar 11, 2016
24Shares
Share Tweet Submit

Just a few hours after Adobe released an emergency, out-of-band patch to fix a critical vulnerability in Flash, the trouble magnet is back in the news. Adobe Flash Player is putting users at serious risk, as its exploits are used not only to take control of your machines, but also to get you in some massive financial troubles. This time, it’s not entirely its fault though. Earlier this week an Android banking trojan was discovered which was fooling users into installing a fake Adobe Flash version, with the goal of serving phishing web pages stealing users’ banking credentials.

android marcher trojan

Another trojan dubbed as Android Marcher uses the same technique, previously focusing on massive SMS and email spam campaigns, the trojan has now evolved. Marcher is a 3-year old trojan that has erupted again in the interwebs, this time targeting Android users visiting porn sites.

Android Marcher uses porn sites to steal user’s financial info

Porn sites have long been used to serve malware and Marcher does the same by prompting site visitors to install a malware-infected payload, appearing as an Adobe Flash installer package. If Flash wasn’t doing enough itself to send tons of malware our way, criminal hackers have found another way to monetize unwitting visitors into downloading fake copies of Flash.

The primary goal again is to steal financial information from the user through a fake Google Play store payment page. Zscaler reported:

[…] a new wave of Marcher Trojan that is active since past one month where the malware arrives as an adobe flash installer package. We have captured over 50 unique payloads from this campaign. Majority of these Marcher payloads are from pornographic sites serving fake adobe flash player for watching porn. The primary goal of this malware is still the same – display a fake Google Play store payment page and steal financial information from the user.

First generated in 2013, Marcher trojan has evolved into a sophisticated Android malware that is now aware of a user device’s application profile. “This is the first wave where we have seen Marcher variants leveraging a combination of porn lure and [a phony] Adobe Flash Player update,” Zscaler added.

If You Want Top-Notch Security, Buy A Nexus Or Samsung Phone

How does Android Marcher work…

When an Android user visits a porn site, the trojan presents a popup to install the Android version of Adobe Flash in order to watch the video. Since Google Play Store doesn’t offer Flash (discontinued) anymore, the site offers users to directly download and install it. Once the user is tricked into downloading a fake Adobe Flash copy on their devices, they are asked for admin privileges to complete the installation process.

Getting full control of the victim’s Android phone, the app starts communicating with its command and control server, sending identification data from the user’s device. The latest phishing campaign uses 50 different versions of Android Marcher. Most of these are packed with phishing pages acting to be the Google Play store, asking the user for their credit card information to finish the Flash Player installation process.

Not only this, but it also looks for any banking apps downloaded on the user’s device. And, if it has the support for the bank, it will overlay its own fake page over the official banking app, stealing login credentials. “The user banking credential information is relayed back to the C&C server in plain text,” security researchers explained.

android marcher trojan

Researchers said that the following 16 banks are targeted with custom-made phishing pages via Android Marcher:

  • BankSA – Bank of South Australia
  • Commerzbank
  • Commonwealth Bank of Australia – NetBank app
  • Deutsche Postbank
  • DKB – Deutsche Kreditbank
  • DZ Bank
  • Deutsche Bank
  • Fiducia & GAD IT
  • ING Direct
  • La Banque Postale
  • Mendons
  • NAB – National Australia Bank
  • PayPal
  • Santander Bank
  • Westpac
  • WellStar billpay app
Largest Security Patch Released for Android, Fixing Critical Flaws - Install ASAP

To stay safe, make sure to only download applications from trusted sources like Google Play store and avoid clicking on any pop-ups that demand you to download apps and give admin privileges. Also, try to stop using Flash – fake or real.

For those interested, technical details of Android Marcher trojan can be accessed at Zscaler.

Share Tweet Submit