Zscaler has uncovered new instances of the Android Marcher Trojan being hidden as a flash player for watching pornography on Android devices – by prompting users to update their flash player through the Google Play Store an deceiving users into filling in their payment details, the proprietors are exploiting goodness knows how many hapless porn-watchers.
The e-mail attachment that contains the malicious Adobe flash file is where the story starts. The X-VIDEO app that users are then told to download has been downloaded over 100,000 times acccording to the Play Store, but when users click to download, the Marcher Trojan steps in and displays a flase payment screen, which users enter payment information into. Of course in reality, they’ve just handed their details to the hackers and received a dodgy app that never ends up loading.
The Marcher Trojan has been around since 2013, when it was seeking to scam users for credit card information by deploying the falso Google Play Store payment apge. It’s also been spotted working with banking applications and like to steal credentials.
Technical analysis
The infection cycle starts with the mobile user receiving a malicious URL via e-mail or SMS. Once the user opens this URL, the site will prompt the user to download and install the Adobe Flash Player.
The file that gets downloaded as a result of this action is aptly named – AdobeFlashPlayer.apk. Upon installation, malware asks for administrative access in order to perform its functions.
Once installed, Marcher connects to a predetermined Command & Control (C&C) server and sends information about all the installed applications on the infected device.
During our analysis, we also observed a unique approach where the C&C server will send a response generating a MMS notification on the infected device saying “You have received MMS” and instructs the user to visit “mms-service[.]info/mms” to see the content of the MMS.
As part of the infection cycle, Marcher will then display a fake Google Play payment screen asking for payment information to complete the account setup.This site redirects the user to the X-VIDEO app on official Google Play store. According to several reviews of this app, the users are claiming it to be a fake app that simply crashes after installation. We were able to verify the same crash behavior when installed on the latest Android OS Marshmallow 6.0.1. We haven’t analysed this app in any further detail but have been in touch with Google’s Android team to review these findings. The app in question has been downloaded more than 100,000 times and some of these downloads may have happened from infected devices. (UPDATE: This app has been verified as clean by Google’s Android team but they are monitoring it further.)
If the user falls for this screen then the credit card information is logged and relayed to the C&C server as seen below:
Newer variants of the Android marcher will also present a fake online banking login page based on information collected about already installed banking apps on victims device. Here is a sample fake login page that the user will see if the infected device has Commonwealth Bank of Australia mobile app installed.
The user banking credential information is relayed back to the C&C server in plain text.
BankSA – Bank of South AustraliaFollowing are some of the financial institution mobile apps that are targeted by Marcher:
- Commerzbank
- Commonwealth Bank of Australia – NetBank app
- Deutsche Postbank
- DKB – Deutsche Kreditbank
- DZ Bank
- Deutsche Bank
- Fiducia & GAD IT
- ING Direct
- La Banque Postale
- Mendons
- NAB – National Australia Bank
- PayPal
- Santander Bank
- Westpac
- WellStar billpay app
