Security Experts:

Improved "Marcher" Banking Trojan Targets UK

Malware developers have made some significant improvements to the Marcher Trojan, which is now also being leveraged by cybercriminals to target the customers of major banks in the United Kingdom.

Marcher, which retails for roughly $5,000, is an Android banking Trojan that has been around since late 2013. Distributed on Russian underground forums, the threat was initially designed to display phishing pages on top of Google Play to trick users into handing over their credit card details.

However, in March 2014, a new variant of the malware was spotted targeting banks in Germany. The list of targeted countries was later expanded to include France, Poland, Turkey, the United States, Australia, Spain, Austria and others.

IBM Security researchers have been monitoring the threat and discovered that, in late May, its authors added nine major banks in the U.K. to the list of targets.

Similar to other Android banking Trojans, such as GM Bot, Marcher has been using overlay screens to steal information from victims. In many cases, the overlay screens are customized for the targeted bank and they are either hardcoded or fetched dynamically by the malware.

While the Trojan has mostly focused on targeting mobile banking apps, it’s also capable of stealing data from payment, airline, e-commerce and direct marketing applications.

Unlike other Android banking malware, Marcher doesn’t only target applications. The phishing screens are displayed both on top of banking apps and the bank’s website when users access it in a web browser. Researchers observed overlay screens being displayed on top of Austrian and Australian banking websites and the site of a popular online payments application.

Another interesting Marcher feature is that it allows cybercriminals to send out SMS messages to victims, informing them of a money transfer to their account. Once they see this message, victims are more likely to open the targeted banking app or website so that the attackers don’t have to wait to serve the phishing pages.

According to researchers, the Trojan doesn’t send all the credentials it harvests back to cybercriminals. Marcher first tests them on the targeted bank’s website and only sends them to the command and control (C&C) server if they are valid.

Marcher is also capable of intercepting SMS messages and phone calls, which is useful for two things. First, it allows attackers to forward messages and phone calls that contain data sent to the user by the bank’s two-factor authentication system. Secondly, by gaining control of SMS and phone call functions, fraudsters can make calls and send messages to premium rate numbers to generate an extra income.

Since an increasing number of users install antivirus apps on their Android devices, malware authors have designed Marcher to block eight popular antiviruses. In order to avoid raising suspicion, the Trojan sends notifications to inform victims that the antivirus app still protects the device.

Related: Mobile Malware Market Increasingly Competitive

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.