A three-pronged banking malware campaign has been infecting Android phones since the beginning of this year, according to security researchers.
Attackers have been stealing credentials, planting the Marcher banking Trojan on phones, and nicking credit card information. So far, they have targeted customers of BankAustria, Raiffeisen Meine Bank and Sparkasse, but the campaign could spread beyond Vienna.
The attack begins with a phishing message delivered by email to a phone, security researchers at Proofpoint explained in a Friday post. The message pretends to be from the target's bank and contains a link that often is obscured by a Web address shortener like bit.ly.
The link takes the victim to a bogus bank page where the bandits request the target's bank account or PIN information.
Once the hackers have that information, they instruct victims to log into their accounts using their email address and password. All the information entered at the fake banking site is harvested by the hackers.
Permission to Hijack
Instead of getting access to an account, banking customers get a popup message instructing them to install the bank's security app. About 7 percent of targets have downloaded the "security app," which is really the Marcher malware, Proofpoint estimated.
Once installed, the malware asks for extensive permissions -- everything from receiving, sending, reading and writing SMS messages to opening network sockets, reading address books, changing system settings and even locking the phone.
In addition, when applications like the Google Play store are opened, the malware will ask for the user's credit card information.
While banking Trojans and phishing are common fare for cybercriminals, combining the two in a focused campaign isn't, noted Patrick Wheeler, director of threat intelligence at Proofpoint.
"In general, we don't see a lot of crossover between phishing actors and those who distribute malware," he told TechNewsWorld. "The combination of the socially engineered banking Trojan download and multistep phishing attack that gathers credentials or financial information at each step, is fairly unusual."
Not Your Typical Email Attack
The Marcher campaign in Austria is significantly more coordinated than the standard email attack, noted Matt Vernhout, director of privacy at 250ok.
"However, it may have limited impact, as the number of steps required to complete the attack may be more than most individuals are willing to complete," he told TechNewsWorld.
Marcher has been around for a long time, which is why its perpetrators may find it necessary to modify the way they create landing pages to ensnare victims.
"This is likely because security vendors and domain hosts are hot on their heels shutting them down," said Armando Orozco, a senior malware intelligence analyst with Malwarebytes.
"They need other avenues to keep their business model going," he told TechNewsWorld.
Future Expansion
The likelihood of the Marcher campaign spreading is very high, said Proofpoint's Wheeler.
"Marcher has been observed worldwide, and we have already seen a variety of schemes to distribute the malware, primarily via SMS, and increasingly sophisticated social engineering from actors associated with Marcher," he said.
"Any attack such as this one is usually a canary in the coal mine," noted Rajiv Dholakia, vice president of products at Nok Nok Labs.
"One should expect variations of this to continue to evolve and spread around the world," he told TechNewsWorld.
It's not unusual for malware to be released in a single country or region and then, depending on its success, expand to other countries, said Damien Hugoo, director of product marketing at Easy Solutions.
"We have seen many banking Trojans start out in Europe in the past year and expand globally," he told TechNewsWorld.
Protect Yourself
What can consumers do to protect themselves from this kind of attack?
One defense is to use Android phones that are easy to keep current with the latest version of the operating system, like Google's Pixel and Nexus phones, suggested Daniel Miessler, director of advisory services at IOActive.
"Pixel and Nexus stay updated constantly," he told TechNewsWorld.
Also, "never use app stores other than the official Google Play store," Miessler advised, and "for the highest security, refrain from installing apps that are not extremely well known and well-tested."
Consumers need to be vigilant.
"As with phishing attacks on any platform, the onus is on consumers to beware of scams and look for red flags. Unsolicited emails or texts asking for information or giving extensive reasoning for why they should download an app are clear warning signs," advised Proofpoint's Wheeler.
"Apps that ask for extensive permissions or that do not come from legitimate app stores should also be avoided," he said, "unless consumers are absolutely sure of the origin and necessity of the app."
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://steemit.com/technology/@mhshojal/marcher-malware-poses-triple-threat-to-android-users
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
thanks for your information
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
you are right
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I do,t know about this malware.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
try to know
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Hello & Cheers!! I'm a content detection and information bot. You are receiving this reply because a short link or links have been detected in your post/comment. The purpose of this message is to inform your readers and yourself about the use of and dangers of short links.
To the readers of the post: Short links are provided by url shortening services. The short links they provide can be useful in some cases. Generally their use is benign. But as with all useful tools there are dangers. Short links can be used to hide all sorts of things. Quite frequently they are used to hide referral links for instance. While not dangerous this can be deceptive. They can also be used to hide dangerous links such as links to phishing sites, sites loaded with malware, scam sites, etc. You should always be extremely cautious before clicking on one. If you don't know and trust the poster don't click. Even if you do you should still be cautious and wary of any site you are sent to. It's always better to visit the site directly and not through a short link.
To the author of the post: While short links may be useful on some sites they are not needed on steemit. You can use markdown to format your links such as this link to steemit. It's as simple as
[steemit](https://steemit.com)
Unlike short links this allows the reader to see where they are going by simply hovering over the link before they click on it.Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
thanks for your information
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
awesume writter I think he is proffetional scientest
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Congratulations @pingkusabbir! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of comments received
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Right .good post .
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit