Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Improved “Marcher” Banking Trojan Targets UK

Malware developers have made some significant improvements to the Marcher Trojan, which is now also being leveraged by cybercriminals to target the customers of major banks in the United Kingdom.

Malware developers have made some significant improvements to the Marcher Trojan, which is now also being leveraged by cybercriminals to target the customers of major banks in the United Kingdom.

Marcher, which retails for roughly $5,000, is an Android banking Trojan that has been around since late 2013. Distributed on Russian underground forums, the threat was initially designed to display phishing pages on top of Google Play to trick users into handing over their credit card details.

However, in March 2014, a new variant of the malware was spotted targeting banks in Germany. The list of targeted countries was later expanded to include France, Poland, Turkey, the United States, Australia, Spain, Austria and others.

IBM Security researchers have been monitoring the threat and discovered that, in late May, its authors added nine major banks in the U.K. to the list of targets.

Similar to other Android banking Trojans, such as GM Bot, Marcher has been using overlay screens to steal information from victims. In many cases, the overlay screens are customized for the targeted bank and they are either hardcoded or fetched dynamically by the malware.

While the Trojan has mostly focused on targeting mobile banking apps, it’s also capable of stealing data from payment, airline, e-commerce and direct marketing applications.

Unlike other Android banking malware, Marcher doesn’t only target applications. The phishing screens are displayed both on top of banking apps and the bank’s website when users access it in a web browser. Researchers observed overlay screens being displayed on top of Austrian and Australian banking websites and the site of a popular online payments application.

Another interesting Marcher feature is that it allows cybercriminals to send out SMS messages to victims, informing them of a money transfer to their account. Once they see this message, victims are more likely to open the targeted banking app or website so that the attackers don’t have to wait to serve the phishing pages.

Advertisement. Scroll to continue reading.

According to researchers, the Trojan doesn’t send all the credentials it harvests back to cybercriminals. Marcher first tests them on the targeted bank’s website and only sends them to the command and control (C&C) server if they are valid.

Marcher is also capable of intercepting SMS messages and phone calls, which is useful for two things. First, it allows attackers to forward messages and phone calls that contain data sent to the user by the bank’s two-factor authentication system. Secondly, by gaining control of SMS and phone call functions, fraudsters can make calls and send messages to premium rate numbers to generate an extra income.

Since an increasing number of users install antivirus apps on their Android devices, malware authors have designed Marcher to block eight popular antiviruses. In order to avoid raising suspicion, the Trojan sends notifications to inform victims that the antivirus app still protects the device.

Related: Mobile Malware Market Increasingly Competitive

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.