Part 1 of 3
"Marcher" is malware targeting the Android platform. It is designed to steal mobile banking app credentials from customers of many different financial institutions. Distributed through a variety of means, it is one of the most prevalent Android password stealers seen in the wild, second only to Svpeng.
History and distribution
Marcher first arrived on the scene in late 2013. That version infected devices of primarily Russian users, and it targeted only Google Play credentials and payment card data. The app monitored the system, watching for the user to launch the Google Play Store app, and then displayed a screen asking for credit card information.
In March 2014, a new variant arrived using the same tactics to target primarily financial institutions in Germany. Over time, the list of targeted mobile banking and other applications has grown considerably.
Marcher is available as a kit for sale on underground web forums and dark web markets. Buyers represent different threat actor groups with their own preferred distribution methods and targets. The kit includes webpages that emulate various login pages or payment card acceptance pages for other mobile apps.
Besides passive placement on unofficial, third-party app repositories, Marcher is actively distributed to potential victims via several different vectors, including:
- PC adware, including targeting via tracked visits to the websites of targeted financial institutions
- Mobile adware and "app pushers"
- Links spammed on microblogging and social media services
- Links in spam email messages
- SMS messages, including SMS sent from users already infected to their contacts
Links and adware typically redirect potential victims to download and install the Trojan as an APK (Android Package) file from a compromised website.
How does it operate?
Marcher monitors the Android system for the launching of specific apps based on their internal app or "package" name. For example, to detect launching of the default, built-in Android web browser, which has an icon and a caption of just "Browser," Marcher looks for launching of the package named "com.android.browser".
If an action if configured to be triggered by the launch of a certain application, Marcher overlays the legitimate app's screen -- typically a login screen, card acceptance screen, or token/mTAN (mobile Transaction Authentication Number) code entry screen -- with a fullscreen webpage downloaded on demand from a remote server under the attacker's control. Credentials and other targeted information entered into the webpage are collected and uploaded to the attacker.
End of part one.
In a future blog post, we will dig deeper into Marcher with a list of targeted apps and organizations, broken down by country, and provide sample data to further illustrate the malware’s delivery and distribution methods.