A multi-pronged attack on Android devices has been uncovered, which incorporates a bevy of threat vectors and social engineering tricks into a single scheme involving the Marcher Android banking Trojan.
According to researchers at Proofpoint, attacks begin with a banking credential phishing scheme, followed by an attempt to trick the victim into installing the Marcher banking trojan, before finally finishing up with attempts to steal credit-card information.
“As our computing increasingly crosses multiple screens, we should expect to see threats extending across mobile and desktop environments,” said Proofpoint researchers, in an analysis. “Moreover, as we use mobile devices to access the web, and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here.”
They added that attacks involving Marcher have become increasingly sophisticated, with documented cases involving multiple attack vectors and a variety of targeted financial services and communication platforms. In this latest case, a threat actor has been targeting customers of Bank Austria, Raiffeisen Meine Bank and Sparkasse since at least January 2017.
Marcher is frequently distributed via SMS, but in this case, victims are presented with a link in an email. Oftentimes, the emailed link is a bit.ly shortened link, used to potentially evade detection. The link leads to a phishing page that asks for banking login credentials or an account number and PIN. Once the victim enters his or her account information on the landing page, the phishing attack then requests that the user log in with their email address and phone number in step two of the credential phish.
Having stolen the victim’s account and personal information, the scammer then introduces a social engineering scheme, informing users that they currently do not have the “Bank Austria Security App” installed on their smartphone and must download it to proceed and avoid their accounts from being blocked. A URL and QR code are provided, leading to a bogus version of the app, using stolen branding and fraudulent copy, that is actually just the Marcher banking trojan in disguise.
In addition to operating as a banking trojan, overlaying a legitimate banking app with an indistinguishable credential theft page, the malware also asks for credit-card information from infected users when they open other applications.
To avoid being a victim, mobile users should be wary of installing applications from outside of legitimate app stores, and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites.
“Unusual domains, the use of URL shorteners and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware,” the researchers added.