Marcher Is Back! Brings Malware, Phishing and Banking Data Theft in Its Arsenal


The latest Marcher malware combines three security threats into a single, well designed campaign. Thought DoubleLocker was cool? Say hello to the new malware strain. Security researchers from Proofpoint revealed that the new and evolved Marcher malware combines phishing, credit card data theft, and banking trojan into one multi-step scheme putting Android banking customers at risk.

Hackers have long combined phishing with malware, however, the use of three techniques in one campaign reflects the sophistication of the criminals behind this campaign. Phishing is often used to deliver the malware itself. Android Marcher trojan, that has remained active since 2013, infects targets through phishing using fake software / security updates and fake apps. The malware is then dropped on the victim's device after which Marcher tries to steal credit card information.

Fake COVID-19 Tracking App Found to Infect Android Phones With Ransomware

Marcher Android banking trojan - how the latest campaign works

In their research, Proofpoint said that the latest campaign targets customers of Austrian banks and has been active since January. Here's how it works:

  • While previously, Marcher was distributed through SMS, in this campaign the malicious link to malware was dropped in emails. The link is shortened to avoid detection.
  • Leading to a phishing site of the user's bank, it asks for user's banking credentials.
  • The login page then demands victim's phone number and email address.
  • They are then told to download the bank's app, showing a prompt for a fake app.
  • It also guides the victim to allow Unknown sources from settings to let this fake app to install and enable Device Admin privileges following the installation.  marcher banking trojan
  • The app (that was downloaded by 7% of the visitors) finally drops the Marcher banking trojan.

This trojan demands several permissions and gets privileges to:

  • Read/write to external storage
  • Access location
  • Read, write and send SMS messages (could be used for paid SMS)
  • Initiate a phone call without going through the Dialer user interface (again, could cost)
  • Contacts data
  • To force the device to lock
  • Change Wi-Fi connectivity state, and other similarly excessive permissions.

After receiving banking login data, email and phone data, and excessive permissions, the trojan then demands users to enter their credit card number whenever they open Google Play Store or other apps, basically managing to steal everything-financial from the user.

In this latest campaign, attackers used shortened URLs, copied the user interface of the targeted bank's website and app, used a legitimate looking icon after the app was installed, and even used top-level domains (if the bank used .info, they used .gdn) to trick users into believing it was indeed their bank.

"As we use mobile devices to access the web and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here," Proofpoint wrote in its research. "As on the desktop, mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites."

- Earlier: Evolved Marcher Banking Trojan Wants to Steal Your Credit Cards – How Not to Fall for the Old Tricks