Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Improved “Marcher” Banking Trojan Targets UK

Malware developers have made some significant improvements to the Marcher Trojan, which is now also being leveraged by cybercriminals to target the customers of major banks in the United Kingdom.

Malware developers have made some significant improvements to the Marcher Trojan, which is now also being leveraged by cybercriminals to target the customers of major banks in the United Kingdom.

Marcher, which retails for roughly $5,000, is an Android banking Trojan that has been around since late 2013. Distributed on Russian underground forums, the threat was initially designed to display phishing pages on top of Google Play to trick users into handing over their credit card details.

However, in March 2014, a new variant of the malware was spotted targeting banks in Germany. The list of targeted countries was later expanded to include France, Poland, Turkey, the United States, Australia, Spain, Austria and others.

IBM Security researchers have been monitoring the threat and discovered that, in late May, its authors added nine major banks in the U.K. to the list of targets.

Similar to other Android banking Trojans, such as GM Bot, Marcher has been using overlay screens to steal information from victims. In many cases, the overlay screens are customized for the targeted bank and they are either hardcoded or fetched dynamically by the malware.

While the Trojan has mostly focused on targeting mobile banking apps, it’s also capable of stealing data from payment, airline, e-commerce and direct marketing applications.

Unlike other Android banking malware, Marcher doesn’t only target applications. The phishing screens are displayed both on top of banking apps and the bank’s website when users access it in a web browser. Researchers observed overlay screens being displayed on top of Austrian and Australian banking websites and the site of a popular online payments application.

Another interesting Marcher feature is that it allows cybercriminals to send out SMS messages to victims, informing them of a money transfer to their account. Once they see this message, victims are more likely to open the targeted banking app or website so that the attackers don’t have to wait to serve the phishing pages.

According to researchers, the Trojan doesn’t send all the credentials it harvests back to cybercriminals. Marcher first tests them on the targeted bank’s website and only sends them to the command and control (C&C) server if they are valid.

Marcher is also capable of intercepting SMS messages and phone calls, which is useful for two things. First, it allows attackers to forward messages and phone calls that contain data sent to the user by the bank’s two-factor authentication system. Secondly, by gaining control of SMS and phone call functions, fraudsters can make calls and send messages to premium rate numbers to generate an extra income.

Since an increasing number of users install antivirus apps on their Android devices, malware authors have designed Marcher to block eight popular antiviruses. In order to avoid raising suspicion, the Trojan sends notifications to inform victims that the antivirus app still protects the device.

Related: Mobile Malware Market Increasingly Competitive

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.