Researchers at cloud security company ZScaler have discovered a variant of the banking malware Marcher that makes it even more dangerous: It’s lurking on the internet disguised as a Flash update.
Users who open a suspect link will be told they need to update Flash and given the option to download an infected APK file. Opening the APK will prompt the user to disable security and allow installation of third-party apps, at which point the APK installs itself and prepares to steal credentials associated with finance app accounts.
ZScaler’s team goes on to state that less than 20 percent of antivirus software was able to detect this new form of Marcher. Its code is highly obfuscated, and that makes it even more dangerous—those who have it may have their credentials harvested without ever realizing it.
How Marcher Steals Credentials
This fake Flash version of Marcher operates exactly like older variants. It registers the device with a command and control (C&C) server and waits for an unsuspecting user to open a finance app. It’s then that Marcher springs into action.
When a user opens one of over 40 affected apps (Chase, Paypal, Citibank, and even Walmart are among them) Marcher intercepts the login page request and opens a fake one hosted on the internet. If the user logs in, their credentials are as good as stolen—Marcher sends them off to its C&C server immediately.
How To Protect Yourself
Ideally you won’t ever get infected with this hard-to-spot malware. It has to be installed manually, so the best possible prevention is not falling for its attempts to make you do so.
Third-party Android apps, both legitimate and illegitimate, have to be allowed to install by changing a security setting. By making sure this setting is turned off you’re preventing not just Marcher, but other dangerous apps, from getting installed.
If you suspect a device does have a Marcher infection don’t give it up for dead—it’s still possible to boot into safe mode to remove malware.
Marcher is a threat for both personal and business devices. If you are responsible for managing Android devices make sure you control app installation to prevent things like Marcher from happening.
Android malware might be everywhere but it can be easy to prevent much of it by disabling app installation outside of the Play Store. Malware from the store is still a problem, so be sure you have a reliable antivirus app installed on Android devices too.