In February 2017 we reported about Marcher Android banking Trojan, which was discovered by Dutch security firm Securify’s researchers and managed to infect thousands of devices through a single botnet to steal payment cards by exploiting AndroidProcesses library. The same malware that was reportedly active since 2013 has made a comeback and is much more threatening than ever.
According to cyber-security researchers at Proofpoint, the new Marcher campaign includes three security threats namely phishing, banking Trojan, and credit card theft into a single, comprehensively designed campaign. This multi-step scheme is mainly targeted towards Bank of Austria’s customers while users or Android devices are at risk. Until now, at least 20,000 users have been affected by this new campaign.
What makes it unique is the fact that hackers have adopted an unconventional approach by combining three techniques into one.
Proofpoint researchers wrote in their blog post that the campaign is active since January; in previous Marcher malware campaign the malicious code was distributed via SMS, but in this scheme, the link leading to the malware is sent through a phishing email. Since the link has been shortened, therefore, it is quite difficult to be detected.
Furthermore, attackers have created a replica of the targeted bank’s user interface, designed an authentic looking icon for the app so that it looks legitimate and somehow acquired top-level domains such as .gdn to deceive users fully.
When the user clicks on the link, he/she is lead to a phishing site of the bank used by the victim where banking credentials are requested to be entered along with phone number and email address. Then the victim is asked to download a fake app titled Bank Austria Security App. It seems to be official bank app, and then the victim is asked to all apps from Unknown sources after modifying the device’s security settings. It then acquires Device Admin privileges.
The victim is warned about blocking of the account in case the app is not installed. Around 7% of the visitors have already downloaded this app, which is responsible for ultimately dropping Marcher banking Trojan.
After installation, Marcher asks for various permissions and gets the following excessive privileges: Read/Write data to external storage device, Location Access, Read/Write/Send SMS, launch phone call without using the Dialer user interface, access Contacts, get the device Locked at any time, modify Wi-Fi connectivity status. It is worth noting that the malware can make calls and SMS messages, both of which would cost the user.
When the banking credentials, email ID, phone data and other information is acquired, the malware then asks the victim to provide credit card number as soon as Google Play Store or any other app is opened. This is how the malware managed to steal all kinds of financial data from the victim.
Proofpoint researchers wrote in their blog post that both desktop and mobile phone users need to be cautious while installing apps from third-party platforms and must only prefer “legitimate app stores and sources.” Moreover, users must be wary of fake banking websites asking for excessive information that a bank would normally ask for or need. Also, start using a reliable mobile security product before it’s too late.