Android Marcher Trojan Masquerades as Flash Update

Researchers are warning of a new iteration of the sophisticated Marcher banking trojan, capable of targeting over 40 financial applications.

Zscaler explained in a blog post that the latest version of the malware is disguised as an Adobe Flash player update: Adobe_Flash_2016.apk.

The malware will also use social engineering to trick users into disabling security on their Android device and allowing third party apps to install.

Once installed, the malware will hide itself from view and remove any icons on the main menu, before registering the victim’s device and any relevant metadata to its C&C server.

“After a few sleep cycles, the malware waits for the user to open an app from its targeted list. We found that this variant is capable of targeting over 40 financial apps. When the user opens any of the targeted apps, the malware will quickly overlay a fake login page, which lures the victim into supplying user credentials,” explained Zscaler.

This version of Marcher is particularly dangerous as it contains obfuscation techniques to hide it from most AV tools, the firm added.

In total, less than 20% detected it on VirusTotal.

“The overlay (fake) login pages for the financial apps are hosted remotely, allowing the author to update them as needed,” the security vendor continued.

“If the user falls for the fake login page and enters his or her banking credentials, the Marcher Trojan relays the information to the C&C server.”

Zscaler said the frequent updates to Marcher reveal the malware is an “active and prevalent threat to Android devices.”

“To avoid being a victim of such malware, be sure to download apps only from trusted app stores, such as Google Play,” it concluded. “By unchecking the ‘Unknown Sources’ option under the ‘Security’ settings of your device, you can prevent inadvertent downloads from questionable sources.”

What’s Hot on Infosecurity Magazine?