top of page

Marcher Malware

Updated: May 19, 2019

Poses Triple Threat to Android Users.

marcher malware

A three-pronged banking malware campaign has been infecting Android phones since the beginning of this year, according to security researchers.

Attackers have been stealing credentials, planting the Marcher banking Trojan on phones, and nicking credit card information. So far, they have targeted customers of BankAustria, Raiffeisen Meine Bank and Sparkasse, but the campaign could spread beyond Vienna.

The attack begins with a phishing message delivered by email to a phone, security researchers at Proofpoint explained in a Friday post. The message pretends to be from the target's bank and contains a link that often is obscured by a Web address shortener like

The link takes the victim to a bogus bank page where the bandits request the target's bank account or PIN information.

Once the hackers have that information, they instruct victims to log into their accounts using their email address and password. All the information entered at the fake banking site is harvested by the hackers.

Permission to Hijack

Instead of getting access to an account, banking customers get a popup message instructing them to install the bank's security app. About 7 percent of targets have downloaded the "security app," which is really the Marcher malware, Proofpoint estimated.

Once installed, the malware asks for extensive permissions -- everything from receiving, sending, reading and writing SMS messages to opening network sockets, reading address books, changing system settings and even locking the phone.

In addition, when applications like the Google Play store are opened, the malware will ask for the user's credit card information.

While banking Trojans and phishing are common fare for cybercriminals, combining the two in a focused campaign isn't, noted Patrick Wheeler, director of threat intelligence at Proofpoint.

"In general, we don't see a lot of crossover between phishing actors and those who distribute malware," he told TechNewsWorld. "The combination of the socially engineered banking Trojan download and multistep phishing attack that gathers credentials or financial information at each step, is fairly unusual."

Not Your Typical Email Attack

The Marcher campaign in Austria is significantly more coordinated than the standard email attack, noted Matt Vernhout, director of privacy at 250ok.

"However, it may have limited impact, as the number of steps required to complete the attack may be more than most individuals are willing to complete," he told TechNewsWorld.

Marcher has been around for a long time, which is why its perpetrators may find it necessary to modify the way they create landing pages to ensnare victims.

"This is likely because security vendors and domain hosts are hot on their heels shutting them down," said Armando Orozco, a senior malware intelligence analyst with Malwarebytes.

"They need other avenues to keep their business model going," he told TechNewsWorld.

Future Expansion

The likelihood of the Marcher campaign spreading is very high, said Proofpoint's Wheeler.

"Marcher has been observed worldwide, and we have already seen a variety of schemes to distribute the malware, primarily via SMS, and increasingly sophisticated social engineering from actors associated with Marcher," he said.

"Any attack such as this one is usually a canary in the coal mine," noted Rajiv Dholakia, vice president of products at Nok Nok Labs.

"One should expect variations of this to continue to evolve and spread around the world," he told TechNewsWorld.

It's not unusual for malware to be released in a single country or region and then, depending on its success, expand to other countries, said Damien Hugoo, director of product marketing at Easy Solutions.

"We have seen many banking Trojans start out in Europe in the past year and expand globally," he told TechNewsWorld.

Protect Yourself

What can consumers do to protect themselves from this kind of attack?

One defense is to use Android phones that are easy to keep current with the latest version of the operating system, like Google's Pixel and Nexus phones, suggested Daniel Miessler, director of advisory services at IOActive.

"Pixel and Nexus stay updated constantly," he told TechNewsWorld.

Also, "never use app stores other than the official Google Play store," Miessler advised, and "for the highest security, refrain from installing apps that are not extremely well known and well-tested."

Consumers need to be vigilant.

"As with phishing attacks on any platform, the onus is on consumers to beware of scams and look for red flags. Unsolicited emails or texts asking for information or giving extensive reasoning for why they should download an app are clear warning signs," advised Proofpoint's Wheeler.

"Apps that ask for extensive permissions or that do not come from legitimate app stores should also be avoided," he said, "unless consumers are absolutely sure of the origin and necessity of the app."

(By John P. Mello Jr. Nov 7, 2017)


bottom of page