The Android-based banking trojan Marcher has been updated, and is now being used by cybercriminals to target customers of major banks in the United Kingdom.
First discovered in 2013, Marcher (detected by Trend Micro as AndroidOS_Fobus.AXM) was initially designed as a phishing malware by targeting users accessing the Google Play app store to steal credit card credentials. It did so by putting a fake window screen on top of the app store’s activity, tricking users into entering their payment card data.
The trojan operated under the malware-as-a-service business model, where the malware was commercially sold as a toolkit on underground forums and online black markets in the deep web. As such, its distribution methods varied—from unofficial and third-party app stores, PC and mobile adware, social media and email spam links, and SMS messages, including texts with malicious URLs sent from already infected devices to its contact list. The malicious ads and URLs redirect the victims to a compromised website and prompt them to download the malware feigning as an Android Package (APK).
By 2014, it has evolved into a banking trojan, initially targeting financial institutions in Germany. It later expanded its list of targets that included France, Poland, Turkey, the U.S., Australia, Spain and Austria, among others.
According to reports by IBM’s security researcher Limor Kessem, the latest version of the trojan stepped up its financial theft and fraud capabilities by adding nine big banks in the UK to its list of targets. It can now also bypass authentication and antivirus solutions by intercepting the communication between users and the banks’ two-factor authentication system, as well as blocking eight known mobile security apps. The phished credentials are then vetted by testing it against the banks servers. The malware only sends the information to its command and control server (C&C) after a successful login. To further monetize the infection, the device is subscribed to premium call and text services registered in foreign countries.
Kessem added that the malware is also capable of deploying a fake overlay screen to mobile browsers accessing banking websites. She further explained, “Once users enter their information into the fake screen, the data is sent to the attacker’s control server. Beyond its overlay screens, the Marcher mobile bot possesses an SMS hijacking module in addition to call and message diversion options. It can perform data exfiltration of a user’s browser history, contact list and the list of installed apps on the device.”
The dynamics of the ubiquitous nature of mobile devices and continuous advances in mobile technology reflect the increasing levels of sophistication in terms of mobile malware attacks. Marcher is just one of the many whose methods of victimizing users are consistently fine-tuned in order to maximize the cybercriminals’ profit.
The Fanta SDK malware (detected by Trend Micro as ANDROIDOS_FANTA.AXB), for instance, infected users by posing as a legitimate banking app of Sberbank, the largest bank in Russia and Eastern Europe. It has the capability of locking users out of their phones by changing its password while it empties the victim’s bank accounts. It also has a phishing component by using a fake Google Play app store page, C&C communication as well as data theft from SMS and contact list.
The Lurk malware used social engineering to lure victims, using popular apps such as WhatsApp and Google Play to trick users to download and install the malware. It was also designed to reside in memory to bypass detection and make it more difficult to remove. It was widely deployed, costing six Russian banks 1.7 billion rubles ($25.7 million), which has subsequently led to 80 searches by Russia’s Federal Security Service and Interior Ministry, and the arrest of 50 hackers.
Android users, particularly those using online banking applications, are advised to employ safeguarding strategies to mitigate if not prevent malware infection, such as avoiding third-party app stores or repositories, keeping apps updated and deleting apps no longer in use, as well as taking caution when receiving suspicious messages with suspicious URLs and download prompts.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).