Earlier this year, PhishLabs wrote an in-depth analysis on Marcher, an Android Banking Trojan which is available for purchase as a kit on underground marketplaces. Marcher runs in the background on an infected device and monitors its operation to detect the launch of specific applications or websites. When a targeted application or site is opened, Marcher overlays the screen with a customized phishing site which mimics the look and feel of the targeted institution. Recent samples of Marcher have demonstrated an increase in total number of targeted institutions as well as a spread to additional geographic locations.
Samples examined during research for our initial posts on Marcher in January showed the malware monitored at least 42 different applications or sites targeting 24 organizations and 8 built-in Android applications. At the time, the targeted organizations were isolated to Australia, Germany, France, and the United States.
Web Overlay Examples
Samples analyzed by PhishLabs during the month of June indicated that the number of targeted organizations and locations have increased substantially. Our analysis shows that Marcher now targets customers of a total of 66 organizations or applications, including 62 banking organizations, 3 mail applications, and 1 payment provider. Geographic locations targeted include Germany, Austria, Australia, Turkey, France and the United Kingdom.
June 2016 Marcher Geographic Targeting
German banks were the first financial institutions to be targeted by Marcher in 2014 and they remain the most targeted of all the affected regions. In total, Marcher targets 21 German banks, including three of the top five banks in Germany. France comes in a close second with 15 targeted banks, including the five largest French banks. France is followed by Turkey and Austria with eight a piece, Australia with seven targets, and the United Kingdom with three targeted banks. Turkey and the United Kingdom are the notable additions to this target list as they were not targeted in previously analyzed samples. Additionally, no targets within the United States were observed in the most recent samples. Because the malware can be customized for each individual actor, it is possible that other Marcher samples may include different targets and regions. Expanded targeting seems likely in future based upon this capability. The table below contains a selected list of the targets found in recent Marcher samples.
Selected June 2016 Marcher Targets
Since Marcher is available as a kit on underground markets, the manner by which malware is delivered to victims is determined by each individual actor. Marcher has been observed being distributed through the following channels:
- SMS Messages
- Mobile adware
- Links on blogging and social media sites
- Links in Spam email messages
The latest samples of Marcher analyzed by PhishLabs tend to masquerade as an installer for Adobe Flash Player. This may seem like an odd choice since Adobe phased out development of Flash for mobile devices in 2012; however, a significant number of websites still rely on Flash for full functionality so some users will go out of their way to manually install the Flash Player.
Marcher Masquerading as Flash Player
Recent Marcher Indicators of Compromise
Defending Against Marcher
Marcher asks for a wide range of dangerous permissions, which ought to be seen as a red flag. Unfortunately, so do many common legitimate applications. As such, many Android users simply authorize all permissions without considering their impacts when installing an application on their device. Users should consider whether the application they are installing needs all of the access that it is requesting before approving installation.
Typical Marcher Permissions
Marcher is typically distributed via methods which require the user to edit their security settings to allow applications from non-trusted sources to be loaded onto the phone. Users should not utilize unsolicited mobile application download links provided via email, blogging sites, social media or SMS. Users should also avoid third-party application repositories and should only download applications from trusted developers on official app stores.
With PhishLabs’ Rogue Mobile Application Protection service, we actively monitor more than 75 official and unofficial application repositories or stores, analyzing current mobile apps, updates and new mobile applications. When possible brand abuse is detected, we confirm the abuse, determine if the app is malicious, and review it for security risk. When a rogue mobile application is confirmed, PhishLabs notifies your team and quickly takes action to shut it down and remove it from the application repositories where it is hosted.