Trojan Hits Android Devices

Monday, February 13, 2017 @ 05:02 PM gHale

An Android banking Trojan going out via a single botnet stole a large amount of payment cards.

The Trojan, called Marcher, has been around since late 2013, but it initially attempted to trick users into handing over their payment card details using Google Play phishing pages.

Android RAT Looks Like Netflix App
Android Malware Purchases Apps on Sly
Android Security Fixes
Android Trojan Targets WiFi Network

In March 2014, the malware started targeting banks in Germany and, by the summer of 2016, there had already been more than 60 targeted organizations in the U.S., U.K., Australia, France, Poland, Turkey, Spain and other countries, according to Dutch security firm Securify.

The malware ended up disguised as various apps, including Netflix, WhatsApp and Super Mario Run.

Securify found nine Marcher botnets over six months, and each of them ended up provided with new modules and targeted web injects by the Trojan’s creators.

One of these botnets, which mainly targets customers of banks in Germany, Austria and France, infected more than 11,000 devices, including 5,700 in Germany and 2,200 in France. The attackers’ C&C server stored 1,300 payment card numbers and other banking information.

Based on the analysis of the command and control (C&C) server used by the cybercriminals, researchers determined a majority of the infected devices had been running Android 6.0.1, but the list of victims also included more than 100 Android 7.0 devices.

Marcher monitors the applications launched by the victim, and when one of the targeted apps ends up detected, an overlay screen displays in an effort to trick the user into handing over sensitive information.

“Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground. This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory),” Securify researchers said in a blog post.

To avoid security devices from removing it, Marcher blocks mobile antivirus applications. Seven months ago, researchers said the Trojan had been blocking eight antiviruses, but Securify’s report shows the malware currently targets nearly two dozen products.

Leave a Reply

You must be logged in to post a comment.