Android mobile device users in the UK have a serious potential problem to deal with. A destructive piece of malware that steals banking usernames and passwords, called “Marcher” malware, is targeting their private information.
“Marcher” has been ripping off Android users’ logins since 2013, when the cyber fraud program entered the underground forums for Russian speakers. In the beginning, the malware only went after credit card info by overlaying a phony screen on the Google Play store, which asked for credit card numbers, expiration dates, and codes from users. Then it targeted large banks and financial services, focusing on companies in Germany.
The evolution of Marcher now threatens those who bank with financial companies in Germany, the UK, France, Austria, Turkey, and Australia. Marcher only attacks Android devices; there are no reports of an iOS Marcher malware version.
Specific Targets Within the Android Market
Android users who have the popular KitKat, Jelly Bean, and Lollipop versions installed on their mobile devices are among those hardest hit with the Marcher malware infection, according to Check Point security company researchers. These users have frequently been receiving phishing emails that purport to be a Flash update. After users click the links in their emails, which they think will let them upgrade their OS and safeguard their devices against identity theft and data loss, Marcher’s process of devastation starts.
The three-step road to havoc involves deception and trickery, as users are coaxed into enabling the installation of the malicious app (outside of the Google Play store) and installing it, which leads to the fake overlay screens popping up on bank apps to gather personal information. These overlays are made to look like necessary components of users’ approved banking applications. Check Point says that they’re easy to create and often programmed by individuals that the original malware operators have outsourced.
Banking Apps Are the Target, But Not the Only Victim
About 88 percent of the apps that Marcher targets are banking applications, but this malware also goes after airline, ecommerce, and payment system apps. The primary goal of the malware is to steal login information, which allows easy access to personal information, funds, and more.
IBM says that Marcher’s capabilities turn users’ mobile devices into tools that can harvest authentication elements and credentials whenever the criminals’ needs arise. When a mobile phone or tablet becomes infected with Marcher, those who control the malware can continue to send text messages encouraging users to go to their mobile banking apps and give up private details. This is often done by sending an SMS message that claims money has deposited into a user’s account.
IBM states that users are typically curious, and that they follow up on the SMS message by checking their accounts right away for the unexpected transfers. Unfortunately, the fake overlay is waiting for them, and it steals their banking credentials. This is possible because the Trojan hijacks the text message, and it fetches for overlays that match a long list of banking apps that the user might have on his or her device.
These deceptions are just a couple of the ways that Marcher is creating mayhem for Android users. As is true with other malware programs, a crucial way to avoid the devastation is to carefully monitor the SMS messages that arrive on your mobile devices. IBM suggests that Android users not follow any URLs from text messages or emails that offer unexpected perks, bonuses, problems, or tools. It’s best to treat these messages with extreme caution, and to delete them immediately and follow up on issues of concern by phone or on a separate device.