A sophisticated strain of Android banking malware that can steal users' financial information – including credit card details – is currently in circulation posing as a software update, researchers from US-based cybersecurity firm Zscaler warned this week (23 June).
Dubbed "Marcher", the malware has existed since 2013 and previously targeted a slew of UK financial institutions. It is often sold on underground Russian forums and uses "overlay" tactics to trick victims into thinking they are inserting their passwords into a legitimate service.
In the majority of Marcher cases, a hacker will attempt to dupe the victim into clicking a malicious link in a text message by impersonating a fraud warning from a bank.
In the most recent variant, the malware comes in the form of an update for Adobe Flash Player spreading via malicious URLs, experts warned. Links will often be presented in the form of "lures" which promise pornographic content or popular games.
Upon opening the link, the latest version of Marcher will inform the user their device's Flash Player is out-of-date. If they click update, the malware will drop onto the device and get to work by hiding itself and connecting to the criminals' command and control (C&C) server.
The malware then waits silently for the victim to open an application from its target list – which currently consists of more than 40 banks, financial institutions and online services.
If a user opens any of the targeted apps the malware will use an overlay page in the hope the victim enters credentials. If so, they will be sent directly to the hacker. It will be too late.
The target list includes PayPal, Morgan Stanley, HSBC, American Express, Coinbase, Best Buy, Western Union, eBay and more. These fake pages are hosted remotely which allows the criminal operator to update them as needed, Zscaler experts warned in a blog post.
Unlike past samples of Marcher, this one is highly effective at staying hidden from anti-virus software. When tested on VirusTotal, a service that helps identify malware and Trojans, it had a 20% detection rate. It remains unknown how many Android devices have been infected.
"We have been seeing regular infection attempts for this Marcher variant in the past month," wrote Zscaler senior security researcher Viral Gandhi. "The frequent changes in the Marcher family indicate that the malware remains an active and prevalent threat to Android devices.
"To avoid being a victim of such malware, be sure to download apps only from trusted app stores, such as Google Play. By unchecking the 'Unknown Sources' option under the 'Security' settings of your device, you can prevent inadvertent downloads from questionable sources."
Consumers should ensure all Android devices' security settings are kept up-to-date to help stay safe from threats. Always be on the lookout for suspicious links and attachments, whether coming from text messages or emails, and ensure credentials are unique for every website.
"Marcher is growing into a mature Trojan with solid organisation behind it like many of the banking malware variants we have seen over the years," wrote researchers from Securify in February this year. "We have been worrying about security on desktop computers for decades.
"Now, with mobile malware on the rise, it's about time everyone starts worrying about mobile device security, especially considering that for many targeted financials most transactions these days take place on mobile devices."