Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 8 June, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Porno Flash Player Taking Android Users for a Long March

by The Gurus
March 11, 2016
in News
Share on FacebookShare on Twitter

Zscaler has uncovered new instances of the Android Marcher Trojan being hidden as a flash player for watching pornography on Android devices – by prompting users to update their flash player through the Google Play Store an deceiving users into filling in their payment details, the proprietors are exploiting goodness knows how many hapless porn-watchers.
The e-mail attachment that contains the malicious Adobe flash file is where the story starts. The X-VIDEO app that users are then told to download has been downloaded over 100,000 times acccording to the Play Store, but when users click to download, the Marcher Trojan steps in and displays a flase payment screen, which users enter payment information into. Of course in reality, they’ve just handed their details to the hackers and received a dodgy app that never ends up loading.
The Marcher Trojan has been around since 2013, when it was seeking to scam users for credit card information by deploying the falso Google Play Store payment apge. It’s also been spotted working with banking applications and like to steal credentials.

Technical analysis

The infection cycle starts with the mobile user receiving a malicious URL via e-mail or SMS. Once the user opens this URL, the site will prompt the user to download and install the Adobe Flash Player.
The file that gets downloaded as a result of this action is aptly named – AdobeFlashPlayer.apk. Upon installation, malware asks for administrative access in order to perform its functions.
Once installed, Marcher connects to a predetermined Command & Control (C&C) server and sends information about all the installed applications on the infected device.
During our analysis, we also observed a unique approach where the C&C server will send a response generating a MMS notification on the infected device saying “You have received MMS” and instructs the user to visit “mms-service[.]info/mms” to see the content of the MMS.
As part of the infection cycle, Marcher will then display a fake Google Play payment screen asking for payment information to complete the account setup.This site redirects the user to the X-VIDEO app on official Google Play store. According to several reviews of this app, the users are claiming it to be a fake app that simply crashes after installation. We were able to verify the same crash behavior when installed on the latest Android OS Marshmallow 6.0.1.  We haven’t analysed this app in any further detail but have been in touch with Google’s Android team to review these findings. The app in question has been downloaded more than 100,000 times and some of these downloads may have happened from infected devices. (UPDATE: This app has been verified as clean by Google’s Android team but they are monitoring it further.)
If the user falls for this screen then the credit card information is logged and relayed to the C&C server as seen below:
Newer variants of the Android marcher will also present a fake online banking login page based on information collected about already installed banking apps on victims device. Here is a sample fake login page that the user will see if the infected device has Commonwealth Bank of Australia mobile app installed.
The user banking credential information is relayed back to the C&C server in plain text.
BankSA – Bank of South AustraliaFollowing are some of the financial institution mobile apps that are targeted by Marcher:

  • Commerzbank
  • Commonwealth Bank of Australia – NetBank app
  • Deutsche Postbank
  • DKB – Deutsche Kreditbank
  • DZ Bank
  • Deutsche Bank
  • Fiducia & GAD IT
  • ING Direct
  • La Banque Postale
  • Mendons
  • NAB – National Australia Bank
  • PayPal
  • Santander Bank
  • Westpac
  • WellStar billpay app
FacebookTweetLinkedIn
Tags: AdobeandriodBankingCredentialsdetailserpsonal inforamtionExploitFlashflash playerGoogleHackHackersmarchmarchermobilePaymentplay storeplayerpornpornoTrojanx-videozscaler
ShareTweet
Previous Post

ESET Warns Against a Wave of Infected E-mails

Next Post

Smartphones? Credit Cards Are the Most Mobile Payment Method!

Recent News

large open office, bright.

Employees Feel 10 Times Calmer in an Environmentally Friendly Office Space

June 7, 2023
Blue Logo OUTPOST24

Outpost24 Acquires EASM Provider Sweepatic

June 7, 2023
Standard post, logos of brands, headshot.

J Brand: The Challenges of Putting Mental Health First in an Unfamiliar Industry

June 6, 2023
iPad with Anxiety written on it in capitals.

Half of UK Employees Suffer From “Sunday Scaries”

June 6, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information