The famous Marcher malware for Android has received a new update. The latest iteration poses as counterfeit Android security updates. Users are shown crafted pages indicating that their device is vulnerable to exploits and persuades them into installing Marcher.
Marcher utilizes improved tactics
Marcher first appeared in 2013 when it posed as Google Play stealing user credentials and credit card information. In 2014 the malware was used against financial institutions in Germany.
Upon successful infiltration of the victim host, Marcher sent a list of all installed applications to a remote command and control server. If financial apps were found on the victim devices, the malware displayed login pages that required user input. If banking apps were not found on the system, then a Google Play payment page with counterfeit login form was shown. Its distribution spread to other countries such as Australia, France, Turkey, the United Kingdom and the USA.
The latest version of the malware has changed tactics, this time, the software is being delivered as a fake system update. Security researchers have identified Marcher in malicious installation files titled “Firmware_Update.apk.” Users can get tricked into downloading the file from various fake websites. HTML pages that contain Marcher are designed to look like security alerts with the Google logo.
The updated code can pose as a wide array of popular consumer applications such as Whatsapp, Skype, Viber, Instagram, and others. The produced overlays by the criminal code are almost identical, and users can easily mistake the counterfeit login prompts as legitimate.
Privilege escalation is requested from the user. The recent virus samples have shown an interesting trait – if the infected device is from a CIS country, the malware will stop working.
Users are encouraged to download applications from the Google Play store and disable the installation of applications from unknown sources from the system settings menu of their Android device.