Marcher Malware Poses Triple Threat to Android Users

in technology •  7 years ago 

xl-2017-malware-1.jpg

A three-pronged banking malware campaign has been infecting Android phones since the beginning of this year, according to security researchers.

Attackers have been stealing credentials, planting the Marcher banking Trojan on phones, and nicking credit card information. So far, they have targeted customers of BankAustria, Raiffeisen Meine Bank and Sparkasse, but the campaign could spread beyond Vienna.

The attack begins with a phishing message delivered by email to a phone, security researchers at Proofpoint explained in a Friday post. The message pretends to be from the target's bank and contains a link that often is obscured by a Web address shortener like bit.ly.

The link takes the victim to a bogus bank page where the bandits request the target's bank account or PIN information.

Once the hackers have that information, they instruct victims to log into their accounts using their email address and password. All the information entered at the fake banking site is harvested by the hackers.

Permission to Hijack

Instead of getting access to an account, banking customers get a popup message instructing them to install the bank's security app. About 7 percent of targets have downloaded the "security app," which is really the Marcher malware, Proofpoint estimated.

Once installed, the malware asks for extensive permissions -- everything from receiving, sending, reading and writing SMS messages to opening network sockets, reading address books, changing system settings and even locking the phone.

In addition, when applications like the Google Play store are opened, the malware will ask for the user's credit card information.

While banking Trojans and phishing are common fare for cybercriminals, combining the two in a focused campaign isn't, noted Patrick Wheeler, director of threat intelligence at Proofpoint.

"In general, we don't see a lot of crossover between phishing actors and those who distribute malware," he told TechNewsWorld. "The combination of the socially engineered banking Trojan download and multistep phishing attack that gathers credentials or financial information at each step, is fairly unusual."

Not Your Typical Email Attack

The Marcher campaign in Austria is significantly more coordinated than the standard email attack, noted Matt Vernhout, director of privacy at 250ok.

"However, it may have limited impact, as the number of steps required to complete the attack may be more than most individuals are willing to complete," he told TechNewsWorld.

Marcher has been around for a long time, which is why its perpetrators may find it necessary to modify the way they create landing pages to ensnare victims.

"This is likely because security vendors and domain hosts are hot on their heels shutting them down," said Armando Orozco, a senior malware intelligence analyst with Malwarebytes.

"They need other avenues to keep their business model going," he told TechNewsWorld.

Future Expansion

The likelihood of the Marcher campaign spreading is very high, said Proofpoint's Wheeler.

"Marcher has been observed worldwide, and we have already seen a variety of schemes to distribute the malware, primarily via SMS, and increasingly sophisticated social engineering from actors associated with Marcher," he said.

"Any attack such as this one is usually a canary in the coal mine," noted Rajiv Dholakia, vice president of products at Nok Nok Labs.

"One should expect variations of this to continue to evolve and spread around the world," he told TechNewsWorld.

It's not unusual for malware to be released in a single country or region and then, depending on its success, expand to other countries, said Damien Hugoo, director of product marketing at Easy Solutions.

"We have seen many banking Trojans start out in Europe in the past year and expand globally," he told TechNewsWorld.

Protect Yourself

What can consumers do to protect themselves from this kind of attack?

One defense is to use Android phones that are easy to keep current with the latest version of the operating system, like Google's Pixel and Nexus phones, suggested Daniel Miessler, director of advisory services at IOActive.

"Pixel and Nexus stay updated constantly," he told TechNewsWorld.

Also, "never use app stores other than the official Google Play store," Miessler advised, and "for the highest security, refrain from installing apps that are not extremely well known and well-tested."

Consumers need to be vigilant.

"As with phishing attacks on any platform, the onus is on consumers to beware of scams and look for red flags. Unsolicited emails or texts asking for information or giving extensive reasoning for why they should download an app are clear warning signs," advised Proofpoint's Wheeler.

"Apps that ask for extensive permissions or that do not come from legitimate app stores should also be avoided," he said, "unless consumers are absolutely sure of the origin and necessity of the app."

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://steemit.com/technology/@mhshojal/marcher-malware-poses-triple-threat-to-android-users

thanks for your information

you are right

I do,t know about this malware.

try to know

Hello & Cheers!! I'm a content detection and information bot. You are receiving this reply because a short link or links have been detected in your post/comment. The purpose of this message is to inform your readers and yourself about the use of and dangers of short links.

To the readers of the post: Short links are provided by url shortening services. The short links they provide can be useful in some cases. Generally their use is benign. But as with all useful tools there are dangers. Short links can be used to hide all sorts of things. Quite frequently they are used to hide referral links for instance. While not dangerous this can be deceptive. They can also be used to hide dangerous links such as links to phishing sites, sites loaded with malware, scam sites, etc. You should always be extremely cautious before clicking on one. If you don't know and trust the poster don't click. Even if you do you should still be cautious and wary of any site you are sent to. It's always better to visit the site directly and not through a short link.

To the author of the post: While short links may be useful on some sites they are not needed on steemit. You can use markdown to format your links such as this link to steemit. It's as simple as [steemit](https://steemit.com) Unlike short links this allows the reader to see where they are going by simply hovering over the link before they click on it.

This message was created by a bot. It is part of the ongoing fight against spam and phishing attacks on steemit. If you did not use short links in your post and feel you have received this message in error you can contact @fubar-bdhr on discord or @fubar.bdhr on steemit chat to report the issue.

thanks for your information

awesume writter I think he is proffetional scientest

Congratulations @pingkusabbir! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of comments received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Right .good post .