About Part One
Last week I posted a blog analyzing "Marcher" - malware targeting the Android platform. Designed to steal mobile banking app credentials from banking customers, it is one of the most prevalent Android password stealers seen in the wild. Read part one here.Continuing the discussion, let’s go a little deeper into exactly who, what, and where Marcher is targeting, and how.
Targeted Apps & Organizations
Recent samples of Marcher have been configured to monitor for the launch of at least 42 different applications, and some of those include multiple apps published by the same organization. Eight of the apps include the Chrome browser and built-in android applications such as Phone, Contacts, Browser, Calendar, and Settings. Other targets are apps for these organizations, broken down by country:
Chart 1 - Breakdown of countries of known organizations whose apps are targeted by Marcher
- ING Direct
- BankSA, Bank of South Australia
- George Bank
- Commonwealth Bank of Australia, specifically targets the NetBank app
- NAB, National Australia Bank
- Deutsche Bank
- ING DiBa
- Sparkasse, as well as their subsidiary Star Finanz
- Deutsche Postbank
- DKB, Deutsche Kreditbank
- DZ Bank
- Fiducia & GAD IT, the provider for many of Germany's "FinanzGruppe" co-operative banks and savings and loans-type institutions
- Santander Bank, formerly Sovereign Bank, who are US-based but have international operations, and the German mobile app is targeted specifically
- Volkswagen Financial Services
- Lufthansa (the German airline)
- Caisse D'Epargne, Banque et Assurances (a savings bank)
- La Banque Postale
- Mendons, a Michigan-based financial services company
- WellStar, a healthcare network account management and billpay app
Other versions may have more, fewer, or different targets; however the built-in Android and several of the German banking apps have been the default shipped with Marcher kits since March 2014. The Australian banks were added in even later versions.
To determine differences in targeting between specimens, PhishLabs examines the list embedded into the Marcher APK's executable code:
Image 1 - Reverse engineered Marcher code showing where the targets are defined
Alongside the list of targeted apps (package names) are the URLs for the respective webpages used for credential stealing and data theft. For example, the code in the above specimen says that when either of these apps are detected:
... then overlay the app's screen with the web page from:
... which looks like the following:
Image 2 - Example of fake/phishing webpage overlay
Some of the web pages are simple, one-step entry forms, while others are more interactive.
In our next blog post – part three of this topic - we will round out this analysis of Marcher with a discussion on the network and host indicators associated with this Trojan.