Cybersecurity researchers discovered a variant of the banking malware, Marcher. The latest variant of Marcher Android malware posing as an Adobe Flash Player Update. Previous version of Marcher has posed as a security update a Super Mario mobile game and more.
Cloud security firm ZScaler researchers, said, this version of the banking trojan is using new lure techniques to spread infections, including adult content and links taking advantage of hype around new mobile games. All malware downloads are accessed from third-party sites and not via Google Play store.
Once victim opens the dropper URL, they’ll be prompted with a message saying the device’s Flash Player updating. The update is fake, but if the user goes through and downloads the playload, they’ll become infected.
Marcher even offers step-by-step guide to disable security settings and allow the device to install third-party software. An option turned off by default on Android devices and a key way of protecting the user from malicious software.
Once installed, the malware immediately hide itself and remove icon from the phone menu, and registers the infected device with its command and control server. All the meta information, including the installed apps list is sent to the C&C server.
steal login credentials
Marcher allows the cybercriminals behind it to steal login credentials and gain access to bank accounts and email services.
Some of the apps Marcher provides fake login pages to include Citibank, TD Bank, PayPal, Gmail, Facebook, Walmart, Amazon, Western Union and more.
Researchers said, 20 percent of antivirus software was able to detect this new form of Marcher. Its code is highly confusing, and that makes it even more dangerous.
The frequent changes in the Marcher family indicate that the malware remains an active and prevalent threat to Android devices, said Viral Gandhi, senior security researcher at Zscaler.
Android malware might be everywhere, but it can be easy to prevent much of it by disabling app installation outside the Play Store.