Recent Posts

Recent Blog Posts

The PhishLabs Blog

Marcher and Other Mobile Threats: What You Need to Know

Posted by Joshua Shilko on May 26, '17
Find me on:

bigstock-Mobile-phone-security-13460990.jpgWhen most people think about cyber risk, they think primarily of their organization’s servers, PCs, and laptops, and how they might be vulnerable to attack.

But in recent years, the way in which users interact with the outside world has changed. In March this year, for the first time ever, Android overtook Windows to claim the largest share of Internet traffic.

And naturally, where users go, threat actors will surely follow.

For the past few years, we’ve observed a gradual but consistent increase in the number of threat actors choosing to focus their efforts on mobile devices.

And we’re not just talking about mobile phones. Android and iOS account for the majority of mobile and tablet installations, and as a consequence are heavily targeted, but there have also been many attacks targeting Internet of Things (IoT) devices such as smart TVs, thermostats, and even fridges.

So how exactly do mobile attack vectors threaten your organization? And, perhaps more importantly, what can you do about it?

Concerned about rogue mobile apps abusing your brand? Find out how you can fight back.

Fight Back!

The Rogues Gallery: Mobile Malware

For the most part, mobile threats closely mirror those found on conventional operating systems such as Windows and Mac OS X. Some of the most common threats include:

Remote Access Trojans (RATs)

RATs are applications that enable threat actors to covertly monitor and interfere with the way a device is used. RATs often include keylogger-style functionality, such as automatic collection of usernames, passwords, email and SMS messages, and so on. Even more alarmingly, though, RATs enable threat actors to remotely control infected devices, allowing them to monitor usage, change settings, steal files, and even utilize a device’s data allowance for potentially criminal activity.

Common functionality: Stealing and sending SMS messages, recording phone calls, turning on device microphone and camera, taking screenshots, exfiltrating data such as photos and videos.

Examples: SpyNote, OmniRAT, Dendroid.


While not necessarily one of the most significant threats to your organization, adware is certainly one of the most annoying mobile threats. For the most part, adware variants simply serve up out-of-context advertisements on top of or within legitimate mobile applications. Typically, these ads are used purely to generate pay-per-click (ppc) revenue for the threat actor responsible, although from time to time we do see malicious ads (malvertisement) and/or additional app downloads.

Common functionality: Serving advertisements (legitimate or otherwise)

Examples: FalseGuide, found on the Google Play Store masquerading as game guides. A nasty one, as it also enrolls infected devices in a botnet.


Just like desktop ransomware, mobile ransomware seeks to extort money from infected users in the form of Bitcoins. Unlike desktop ransomware, though, the majority of mobile ransomware falls into the ‘locking category’, preferring to simply lock users out of their device altogether rather than encrypting files. As a rule, users tend to view mobile data as ‘transient’, making them unlikely to pay ransoms delivered by crypto-ransomware variants.

Common functionality: Locking users out of mobile devices, demanding a ransom payment before access is restored.

Examples: Adult Player, Reveton, Simplocker, LockDroid.


Infostealers are malware variants designed to exfiltrate sensitive data from infected devices, and send it back to the threat actor responsible. Originally designed purely to steal login credentials, product keys, and other sensitive information. In recent years, though, as malware authors have gradually realized that a market exists for certain types of stolen data, infostealers tend to focus more on stealing higher value targets such as identity information, credit card details, and online banking credentials.

Common functionality: Usually just exfiltration, most infostealers don’t afford threat actors the same remote access capabilities as RATs.

Examples: Dresscode, MilkyDoor.

Banking Trojans

Banking trojans enable threat actors to steal millions of dollars from both businesses and individuals every year. Typically deployed by tricking device owners into installing email attachments or web downloads, banking trojans then lie dormant and wait for users to visit their online banking site. While early banking trojans simply aimed to steal login credentials, more advanced variants instead seek to subtly alter the user’s experience, enabling threat actors to covertly alter payment amounts and recipients, or even make additional payments to their own account.

Common functionality: Credential exfiltration, man-in-the-middle style transaction fraud.

Examples:  Marcher, Bankbot

To illustrate how powerful and damaging mobile malware can be, we’re going to zero in on one specific mobile malware variant: Marcher.

Marcher: The “New" Kid on the Block

Despite all the recent headlines, Marcher is not an especially new malware variant. First released for sale back in 2013, Marcher has seen multiple versions in the intervening years, with a wide variety of different capabilities. Significantly, Marcher is comfortably one of the most widespread Android banking trojans of the past few years.

When it comes to mobile malware, or any malware for that matter, one of the most obvious questions is “How does it spread?”

Unfortunately, as with most malware, there are multiple answers to this question. Most frequently, Marcher has been observed being spread through SMS messages, email, app stores, and mobile adware. Often, Marcher samples outwardly imitate popular applications, utilities, or companies, and make use of corresponding app icons in conjunction with social engineering techniques to convince targets of their legitimacy.

Screen Shot 2017-05-26 at 02.57.15.png

So what does it… do?

Well, while Marcher started out life very simply, seeking only to steal payment information, it has evolved a huge amount in the intervening four years. Just take a look at this list of permissions requested by a recent version of Marcher, identified by our analysts: 

-android.permission.CHANGE_NETWORK_STATE (change network connectivity state)
-android.permission.SEND_SMS (send SMS messages)
-android.permission.USES_POLICY_FORCE_LOCK (lock the device)
-android.permission.RECEIVE_BOOT_COMPLETED (start malware when device boots)
-android.permission.INTERNET (communicate with the internet)
-android.permission.VIBRATE (control the vibrator)
-android.permission.ACCESS_WIFI_STATE (view information about the status of Wi-Fi)
-android.permission.WRITE_SMS (edit/delete SMS)
-android.permission.ACCESS_NETWORK_STATE (view the status of all networks)
-android.permission.WAKE_LOCK (prevent the phone from going to sleep)
-android.permission.GET_TASKS (retrieve running applications)
-android.permission.CALL_PHONE (call phone numbers)
-android.permission.WRITE_SETTINGS (read/write global system settings)
-android.permission.RECEIVE_SMS (intercept SMS messages)
-android.permission.READ_PHONE_STATE (read phone details of the device such as phone number and serial number)
-android.permission.CHANGE_WIFI_STATE (connect to and disconnect from Wi-Fi networks and make changes to configured networks)
-android.permission.READ_CONTACTS (read all contact data)
-android.permission.READ_SMS (read SMS messages)

 Among other things, these permissions enable the malicious application to:

  • Display web overlays on top of targeted apps or browser
  • Lock the screen with an overlay
  • Intercept SMS messages and phone calls (Steal 2 factor authentication with SMS forwarding)
  • Send SMS messages
  • Steal data (SMS, System and App Info, Contacts)
  • Detect the presence of antivirus applications
  • Utilize SOCKS Proxy Module to make identifying threat actors more difficult

In essence, Marcher has evolved into a highly sophisticated threat, combining functionality from several of the malware categories described earlier. For this reason, Marcher has often been referred to more generally as “crimeware” which does seem to fit the bill quite nicely.

So… What Now?

If you’re wondering why we’ve decided to highlight one of the most concerning current mobile threats, it’s not to scare you. Unfortunately, many organizations simply aren’t taking the increasingly pressing threat to their mobile devices seriously, which poses real problems for their overall security profile.

Thankfully, there are steps you and your users can take to minimize your organizations risk in this area.

While mobile crimeware applications occasionally find their way onto official stores such as Google Play, Marcher is a little different. For the most part, Marcher is distributed using methods that require users to actively edit their security settings to allow applications from non-trusted sources to be installed.

At all times, users should be advised to ensure ‘Unknown Sources’ is disabled in the security menu settings, and that they should under no circumstances “root” their devices. Equally, users should be trained to avoid unsolicited mobile application downloads links shared via email, blogging sites, social media, SMS messages, or other similar services.

Equally, users should avoid third party application repositories, and only download applications from trusted developers via official app stores. The legitimacy of applications on any official app store can be easily ascertained by checking the author’s official website or contacting them directly. To make this process easier, manufacturers often provide links to their official applications directly from their official website.

Finally, even when taking the above precautions, users should be wary of applications that request Device Administrator privileges or seemingly unnecessary permissions.

It is, after all, better to be safe than sorry. 

Want to know how PhishLabs could help protect your brand from the damage caused by malicious mobile apps? Click here to find out or contact us today. 

Topics: Mobile, Rogue Mobile Applications, Mobile Crimeware

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all