Marcher Trojan Isn't Going Away. It's Getting Smarter.

Share Button

The Android Trojan called Marcher first came onto the scene in 2013, but it’s not showing any signs of going away.  This Trojan started out as an application focused on stealing information directly from Google Play users. However, since then, its creators have kept very busy researching and improving the methods they use to trick users into giving up their financial information.

Marcher has appeared in various iterations – of all the Android Trojans, it is one of the most potent, infecting a massive number of devices over time. Among its arsenal of nefarious tools are two factors that make it such a successful attack. First, it can bypass two-factor authentication by intercepting SMS messages sent to an infected phone, and second, it can overlap other applications with fake content that lures users into providing their sensitive information. This can even be done in Android 6, which was supposedly designed to be protected from the most common implementations of these types of malicious overlaps. The Trojan is most commonly distributed via SMS/MMS phishing and through malvertising on pornographic sites.

Figure 1. Rogue app containing Android Marcher Trojan

Marcher campaigns are known for using social engineering to deceive users in order to infect their devices. Their most common trick is to spoof banking applications, not-yet released games, and security or flash updates. Each individual attack affects an average of 50 institutions worldwide.


Though all Marcher Trojans are similar, each version typically contains some changes in the overall code. For example, things such as obfuscation, sensitive information storage, and protection techniques are always updated, while the main functionalities remain the same in all versions. Out of all the modules that help fraudsters create successful attacks, the following are the most important:

  • SMS stealing
  • Remote command execution
  • Send USSD commands
  • Send SMS
  • Lock device
  • Enable/disable sound
  • SOCKS 5 implementation
  • Overlapping
Figure 2. Snippet of code used to capture victim's SMS


By following the evolution of the Trojan since 2016, it is easy to see the improvements that its creators have made. Below, we have outlined a brief overview of the main changes detected during this time-frame:

  • April 2016: This version contained all the affected applications, as well as the fraudulent content that overlaps them hard-coded inside its binary. One important characteristic of this version was its use of a very basic scheme to infect affected applications with the malicious content. The simplicity of the scheme required the attacker to specify a different URL for every targeted application, making this solution less secure for attackers, as it was easier to filter the malicious traffic and extract information on all the different phishing sites associated with a given attack. In addition, it was very time consuming from the attacker’s perspective.
Figure 3. Affected banking applications from the analyzed sample
  • February 2017: This iteration of the Marcher Trojan included a major update: Fraudsters really focused on making their lives easier while reconfiguring the attack. To do so, they created an API that provided the malicious content to an infected phone if the correct parameter was provided (each affected application had its own specific identification code). In addition, they began using SSL protocol to encrypt communications between the bot and the server, allowing them to hide the malicious traffic.
Figure 4. Affected banking applications from the analyzed sample
  • June 2017: The most recent Marcher campaign came with a huge security update for the Trojan. Fraudsters wanted to hide as much information as possible from analysts, so they implemented a very simple string obfuscation and an AES encryption algorithm to store the affected applications list and all associated traffic (which was already protected by the SSL protocol). Further, they added some anti-virtualization and anti-debugging routines to avoid sandboxes.
Figure 5. AES decryption algorithm implemented in last version of Marcher

What can we learn from the evolution of the Marcher Trojan? In the same way that we are constantly improving our anti-fraud protections, fraudsters are always looking for new ways to protect themselves and create successful attacks. If an attack proves inefficient or unsuccessful, we can’t expect attackers to simply give up; rather, they will come back with a stronger strategy. Without a proactive protection strategy that keeps this in mind, companies are leaving themselves open to becoming victims of ever increasingly sophisticated attacks.

So, how can you protect your users and your organization?

  • Adopt solutions that proactively look for rogue apps imitating your legitimate brand in official and non-official stores to complement other aspects of your security strategy.
  • Integrate SDK libraries into your mobile application that enable a risk-based assessment of the device as well as detect malicious behavior, such as overlay attacks.
  • Partner with a vendor that provides 24/7/365 real-time external threat monitoring, and that has the capability to take down C&C servers such as those used in the Marcher Trojan.
  • Educate your users about mobile risks, and encourage them to not “root” their devices, which leaves them open to attacks such as Trojans.

To learn more about how to protect against attacks like Marcher, please take a look at Digital Threat Protection and Detect Safe Browsing Mobile SDK.

Related Posts

Fraud in the Time of Coronavirus As the world grapples with the Coronavirus pandemic, self-isolation and stay-at-home-orders have increasingly become the norm.
Coronavirus and Cyberattacks: Tips to Keep your Customers Secure Fraud attacks are now on the rise, with malicious actors launching targeted phishing and malware attacks, capitalizing on the Coronavirus pandemic. Having a strong cybersecurity strategy in place has never been more critical.  

Leave a Reply

Your email address will not be published. Required fields are marked *