Experts warn of the rapid growth of the Marcher Android banking Trojan

Malware researchers at the security firm Securify have published a detailed analysis of the Marcher Android banking Trojan.

Security experts at the Securify have published a detailed analysis of the Marcher Android banking Trojan, a threat that has been around since late 2013. First variants of the malware were developed to trick users into handing over their payment card details using Google Play phishing pages. On March 2014, Marcher was observed targeting bank customers in Germany.

In the second half of 2016, the threat targeted dozens of organizations in various countries, including U.S., U.K., Australia, France, Poland, Turkey, and Spain.

The malicious code has been disguised as various popular apps, including WhatsApp and Netflix.

Early 2017, security experts at Zscaler have spotted a strain of the Android Marcher Trojan masqueraded as the recently released Super Mario Run mobile game for Apple’s iOS.

Super Mario Run is still not available for Android, and crooks are taking advantage of this to spread their malicious variant.

“In this new strain, the Marcher malware is disguised as the Super Mario Run app for Android. Knowing that Android users are eagerly awaiting this game, the malware will attempt to present a fake web page promoting its release.” states the analysis published by Zscaler.

Researchers at Securify have detected nine Marcher botnets over the last 6 months, the threat actors leverage web injects to target a large number of different apps.

The vast majority of bots were located in Germany (51%), followed by France (20%), and UK (7%).

“Based on statistics of the backend we know that their campaign has successfully infected 5696 German and 2198 French mobile devices over total of 11049 affected mobile devices.” reads the analysis published by Securify. “While assessing their C2 server, we found that most infected devices are running Android 6.0.1. The C2 server at the time of investigation contained at least 1300 credit card numbers and other bank information (username/password + SMS tan). “

The Marcher malware is able to check foreground apps, when a targeted app is executed the malicious code uses an overlay screen to trick victims into handing over sensitive information, such as login credentials and credit card data.

“Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground. This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory),” Securify researchers explained.

The malware also implements a simple as effective antivirus evasion technique, it maintains a list of most popular antivirus solutions for which it prevents the  removal.  Marcher monitors for any AV app in the list and if it is running, it will force the mobile device back to the home screen. Even the AV program detects the Marcher malware, it will still wait and ask for permission from users before removing it, but because the user can’t give the permission, the malware will not be deleted.

The “solid organization” behind the Marcher Trojan makes the threat very dangerous, experts consider it effective like other notorious banking malware like Sinowal/Torpig, Dyre, Dridex, and Gozi.

“Based on the statistics we found on this one C2 panel we researched and the amount of different C2 panels out there, we believe that the potential financial losses due to Android banking Trojans are, or will soon be, bigger than the current losses from desktop malware like Gozi and Dridex, especially since hardly any of the banking apps seem to detect the attack,” concluded the experts.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Marker malware, Trojan)