Researchers have discovered that the Android banking trojan Marcher is on the rise, infecting devices using a phishing attack. Security researchers at Dutch security firm Securify conducted a detailed analysis of the Marcher and found out that a single botnet has managed to steal a huge number of payment cards.
Thousands infected by Marcher banking trojan in last few months
Spotted first in 2013, Marcher used to trick users with Google Play phishing pages, getting payment card details. Then it started targeting banks and other organizations in Germany, Australia, France, US, US, UK, and several other countries. Now, the security researchers have discovered nine Marcher botnets that have been mainly targeting banks from Germany, Austria, and France.
"Based on their own Trojan user manual we know that there are at least 9 Marcher actors with their own botnets supported by the original creators of the Trojan with new modules and targeted banks/webinjects (HTML overlay files) every week," the researchers said.
They added that one of these botnets have infected over 11,000 devices, including 5,696 in Germany and 2,198 in France, mostly affecting devices running Android 6.0.1 Marshmallow. The attackers stored 1,300 payment card numbers and other banking information in this particular C2 server that researchers were assessing.
How it works
The Marcher banking trojan has been disguised as clones of various popular apps, including Netflix, WhatsApp, and Super Mario Run. The process starts with a phishing attack with attackers targeting users with SMS or MMS with messages including a link that lead to a fake popular app. Now, if you have disabled downloading from "Unknown Sources," it can't do much. [It should be noted that malware-ridden apps have routinely been discovered in the Play Store itself, so better to avoid clicking on suspicious links - even those sent by your unsuspecting friends - than to trust the Stores]
However, if you are the adventurous kind with Unknown Sources enabled, the link will take you to a third-party app store. Once this app from the link is installed, it will request you to give it SMS storage access and Android privileges such as Device Admin, permission to change your network connectivity state, send texts, lock the device, start malware when the device boots, edit and delete texts, and more.
This is your second layer of protection. But, if a user fell for downloading an app in the first step, they would probably just accept to give all permissions.
Securify said that attackers are also targeting using another infection vectors including "pornographic websites serving apps called Adobe Flash or YouPorn."
Once a device is successfully infected, the Marcher banking malware uses two main attack vectors.
The first attack vector is to compromise the out of band authentication for online banks that rely on SMS using SMS forwarding.
The second attack vector, the overlay attack, shows a customized phishing window whenever a targeted application is started on the device. The overlay window is often indistinguishable from the expected screen (such as a login screen for a banking app) and is used to steal the victim’s banking credentials.
This essentially means that your banking details are probably gone after the initial successful installation of the malware.
AV is no help either
Don't assume that you will be safe if you have an antivirus app installed on your Android device. Chances are even the most updated AV tools won't detect the Android banking trojan. Researchers said this trojan "contains a list of antivirus applications for which it prevents removal of the malware."
"The technique used is quite simple: look for any AV app in the list and if it is running, the malware will force the phone back to home screen. Even the AV program detects the malware, it will still wait and ask for permission from users before starting the removal process, but because the user can’t give the permission, the malware will not be removed."
Several antivirus apps are blocked or bypassed this way, including Kaspersky, Avast, AVG, Norton, Avira, CCleaner, and others.
Takeaways and why not to get scared
- Marcher isn't going to steal your credit cards if you don't fall for suspicious links
- Even if you do, this won't affect you if you have Unknown Sources disabled under Security settings
- Messed up there too? You'll have to grant permissions or the malware will make your life hell with constant nagging. Solution? Factory reset.