Recently, security researchers have been warning consumers about Marcher, an early Trojan for Android targeting banks.The Trojan first appeared to be affecting banking applications in Argentina, Colombia, Mexico, Peru, Chile and Brazil, but has now expanded to the United States and rest of the world.
While we already knew that the malware was monitoring the execution of 23 Latin American financial applications by layering an additional phishing interface over the legitimate screen in order to steal banking credentials, we wanted to learn more. So, our Research team, working in collaboration with our banking customers, conducted an in-depth analysis. Here’s what we found:
Marcher seems to be an evolution of the Acecard malware that surfaced late last year, based on the following shared characteristics:
- affects Android 5.1 and earlier versions
- requests dangerous permissions, such as allowing the app to read a device’s contacts or send and receive text messages
- requests admin rights
- monitors play stores, Gmail and banking applications, even PayPal
Using reverse engineering, our team compared the malware’s technical features and found the same security breach that had been exposed by Android API to implement an identical attack. We also uncovered similar procedures related to certain banking and non-financial apps, namely that in all instances the apps requested the same permissions and administration rights as Acecard.
Interestingly, we found only a few differences, namely that the apps were not stored in the file on the RAW path. Further, we found a slight difference between Marcher and Acecard, but only in regards to the name, icons and pop-up windows such as the one pictured below. Besides those small differences, Marcher and Acecard are virtually the same malware, making it easier to combat this malware variation.
Fighting Fire with Fire
Because of their similarities, the same techniques used in avoiding Acecard can be employed to avoid Marcher:
- Users should update their Android system to a version higher than 5.1 to the latest version to prevent malware attacks.
- Users should always review permissions before downloading an app. Permissions such as allowing an app to record conversations, read texts or change a wifi state should be red flags to users.
- Users should only download apps from authorized stores, such as the Google Play Store.
- The Google Play store should be vigilant about removing apps with suspicious permissions.
We will continue to see modified malware impacting regions and malware with similar properties affecting other regions, as the overlapping techniques can be detrimental to a wide range of financial applications. That is why having crosscutting protection, such as the ability to detect overlay attacks and pharming, is so important. It limits the ability of certain attacks so companies do not need to rely only on blacklisting. Organizations must detect targeted and active attacks rather than just detecting the presence of malware.
To learn more about stopping mobile fraud, watch this video: