Threat Report

Marcher Malware’s Triple Play Return

What Is It?

Recently reported on by various media outlets is a new variant of the Marcher Android banking malware, first seen in the wild during 2013.

The Marcher malware is part of a three-way attack aimed at customers of Austrian banks.

The first component of this attack is a phishing e-mail containing a link, utilizing the URL redirection service. The link takes the user to a phishing site that duplicates the bank’s legitimate online banking login page in an attempt to steal the user’s credentials. After the user enters their credentials, the fake site then also requests the user’s email address and phone number.

At this point, the second phase of the attack begins. The user is presented with a webpage advising they do not have the bank’s required “Security App” and providing them with another link and a QR code in order to download the app. There are even instructions on accepting the Android system permissions requested by the app. The app is of course a variant of the Marcher banking trojan.

The third aspect of the attack is that in addition to stealing the user’s online banking credentials, the Marcher trojan will also request credit card information be entered when certain apps are opened, such as the Google Play Store. The trojan also attempts to obtain other supporting information, such as the user’s date of birth, address, billing phone number and password by presenting fake Verified by Visa and MasterCard SecureCode screens.

How Does It Propagate?

Previous variants of Marcher malware have been distributed via text messages. In this case propagation occurs by successfully socially engineering a user to install the malware, believing it to be an app required by their bank. This will only occur if the user has previously been socially engineered to click on the link in a phishing email and enter their credentials into a fake online banking site.

Attackers continue to use social engineering to exploit the most vulnerable component of any computer system, the user. They do so because this attack vector is reliably successful. User education is a critical part of securing any corporate network. With Android devices becoming more commonplace in enterprise networks due to BYOD policies, they can offer a new threat vector for malware infections if not monitored and managed correctly.

When/How Did BluVector Detect It?

BluVector’s patented machine learning malware detection engine detects the Marcher Android app as malicious. Regression testing has shown the file would have been detected by BluVector 11 months prior to its release. Note: BluVector would only detect the malware if the mobile device was connected to a corporate network monitored by a BluVector appliance.

Interested in learning about BluVector?Contact Us >