Android Banking Trojan Marcher Infects Devices to Steal Payment Cards

Marcher has the ability to evade anti-virus detection.

Cyber-security researchers at Securify, a Dutch security firm, have been evaluating the Marcher Android banking Trojan for the past six months. They have come to the conclusion that Marcher has been there since 2013 and its attacking tactics have been evolving since then. Until now, the Trojan has managed to infect thousands of Android devices with a single botnet and also stolen a considerable number of payment cards. On the whole, 9 Marcher botnets have been discovered by the researchers.

According to Securify researchers, in late 2013 when the Trojan became activated it trapped users through Google Play phishing pages to get their payment card details. In March 2014, the primary focus of attacks became German financial institutions because analysis suggested that a majority of Marcher’s victims were Germany-based banks. However, by 2016, the malware’s target list spread to over 60 organizations across the United States, United Kingdom, France, Australia, Spain, Poland, Turkey and many other countries. The malware was hidden in apps that were believed to be harmless and pretty reliable such as Netflix, Super Mario Run game and the popular messaging app WhatsApp.

Securify researchers explained about the malware: “Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground. This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory).”

Securify researchers have identified the nine botnets of Marcher and each of the botnets contain new modules and can perform targeted web injects as directed by the attackers. One of the nine botnets targets banks in France, Austria and Germany and until now it has managed to infect over 11,000 devices. 5,700 infected devices were in Germany while 2,200 in France and the command and control server of the attackers has stored 1,300 payment card numbers apart from other significant banking data.


Source: Securify

Although most of the devices that got infected through Marcher were using the Android 6.0.1 version, it is also a fact that over 100 infected devices were running Android 7.0. Marcher performs its task by firstly inspecting the apps enabled by the victim and if the targeted app is identified, then it displays an overlay screen to deceive the victim and obtain sensitive information.

Bot amount according to Android versions

The malware can also avoid detection or removal by security products by blocking mobile antivirus applications. Around seven months back, researchers noted that Marcher was able to block eight antivirus apps and according to latest analysis it can block over two dozen apps.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Newest Sales

Written by Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.