Recent Posts

Recent Blog Posts

The PhishLabs Blog

Android.Trojan.Marcher - Part Two

Posted by Don Jackson, Director of Threat Intelligence on Jan 28, '16
Find me on:

About Part One

Last week I posted a blog analyzing "Marcher" - malware targeting the Android platform. Designed to steal mobile banking app credentials from banking customers, it is one of the most prevalent Android password stealers seen in the wild. Read part one here.

Continuing the discussion, let’s go a little deeper into exactly who, what, and where Marcher is targeting, and how.
Targeted Apps & Organizations

Recent samples of Marcher have been configured to monitor for the launch of at least 42 different applications, and some of those include multiple apps published by the same organization.  Eight of the apps include the Chrome browser and built-in android applications such as Phone, Contacts, Browser, Calendar, and Settings.  Other targets are apps for these organizations, broken down by country:


Chart 1 - Breakdown of countries of known organizations whose apps are targeted by Marcher


  • BankWest
  • ING Direct
  • Westpac
  • BankSA, Bank of South Australia
  • George Bank
  • Commonwealth Bank of Australia, specifically targets the NetBank app
  • NAB, National Australia Bank


  • Commerzbank
  • Deutsche Bank
  • ING DiBa
  • Sparkasse, as well as their subsidiary Star Finanz
  • Adesso
  • Deutsche Postbank
  • DKB, Deutsche Kreditbank
  • DZ Bank
  • Fiducia & GAD IT, the provider for many of Germany's "FinanzGruppe" co-operative banks and savings and loans-type institutions
  • Santander Bank, formerly Sovereign Bank, who are US-based but have international operations, and the German mobile app is targeted specifically
  • Volkswagen Financial Services
  • Lufthansa (the German airline)


  • Caisse D'Epargne, Banque et Assurances (a savings bank)
  • La Banque Postale

 United States

  • Mendons, a Michigan-based financial services company
  • WellStar, a healthcare network account management and billpay app


  • PayPal

 Other versions may have more, fewer, or different targets; however the built-in Android and several of the German banking apps have been the default shipped with Marcher kits since March 2014.  The Australian banks were added in even later versions.

 To determine differences in targeting between specimens, PhishLabs examines the list embedded into the Marcher APK's executable code:


Image 1 - Reverse engineered Marcher code showing where the targets are defined

Alongside the list of targeted apps (package names) are the URLs for the respective webpages used for credential stealing and data theft.  For example, the code in the above specimen says that when either of these apps are detected:

  • ing.diba.ibbr
  • ing.diba.mbbr2
  • ing.diba.smartsecure2
  • ing_diba.kontostand

 ... then overlay the app's screen with the web page from:

 ... which looks like the following:


Image 2 - Example of fake/phishing webpage overlay

Some of the web pages are simple, one-step entry forms, while others are more interactive. 

In our next blog post – part three of this topic - we will round out this analysis of Marcher with a discussion on the network and host indicators associated with this Trojan.

Continue to Part Three

Topics: Malware, Trojan, Android, Banking Trojan

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all