The Android Marcher trojan has been using pornographic sites to scam users into downloading a malicious file—disguised as an app on the Google Play store—that seeks to steal a victim's financial data.
According to Zscaler, the malware was being delivered as a URL via e-mail or SMS that prompts the victim to download and install Adobe Flash Player in order to access a porn website. Once installed, the Marcher Trojan asks for administrative controls, and the user then receives an MMS with a link to X-VIDEO porn app on a fake Google Play store. The app in question has been downloaded more than 100,000 times.
From there, the app asks the user to enter payment credentials, and the hackers are off to the races.
Photo © RoSonic/Shutterstock.com
The malware also recognizes other payment apps on the user's machine and can also replicate a fake online banking login page based on information collected about already installed banking apps on victim’s device. This new wave of Marcher that uses porn has exhibited more than 50 unique payloads.
“[The] Android Marcher trojan was first seen in 2013 scamming users for credit card information by prompting fake Google Play store payment page,” Zscaler detailed in an analysis. “In subsequent years, Marcher variants also started targeting banking applications by presenting fake login pages to steal user credentials. Marcher has continued to stay active.”
The company researchers added, “The primary goal of this malware is still the same—display a fake Google Play store payment page and steal financial information from the user.”
To avoid being a victim of Marcher and other malware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the "Unknown Sources" option under the "Security" settings of a device.