Marcher Madness continues with a new, stealthier iteration of the Marcher banking malware targeting Android users in Australia.
In a new post, Oren Koriat, a mobile information security analyst at Check Point, details the process of an attack from the malware, which first reared its head in 2013 targeting mainly Google Play users in Russia to siphon off their credit card details by displaying a phony credit card entry page. By March 2014, however, the malware – available as malware-as-a-service on underground web forums – had evolved its capabilities to include bank credential theft and began spreading among online bank users in Germany. And recently, Check Point researchers say, a new Marcher campaign launched via porn sites.
It spreads through phishing campaigns where targets receive spoofed emails that appear to be legitimate but might include suspicious addresses. If a recipient clicks on a link, they are then tricked into enabling installation from unknown sources outside Google Play and a malicious app is downloaded.
While Marcher's previous versions were common enough, this one allows attackers to bypass two-factor authentication by convincing users to grant additional permissions, thus SMSs sent to the device can be pilfered.
At this point, the malware siphons off the list of every app on the device and transfers this data to a remote C&C server which verifies if the device contains an app targeted by the malware.
"Once a targeted app is launched by the user, the malware will present an overlay of the login page to steal the user's credentials," explained Koriat at Check Point.
Marcher dupes its victims to log into their bank account – at this point all in Australia – by displaying notices that say that money was added to their account.