Marcher Trojan Bypasses 2FA and Overlays Apps to Steal Information

Not all apps on your Android device are equal. Some of them were designed to entertain you, while others were created to make it easier for you to communicate with your loved ones or colleagues. While most apps are useful and legitimate, others can be malicious and dangerous. For example, they could be set up to conceal Marcher, a dangerous banking Trojan that attacks Android users specifically. According to Phishlabs, Marcher is one of the most widespread families of Android banking Trojans in the world, along with BankBot. Unfortunately, multiple different versions of this Trojan might exist, and it is known that this malware has been evolving ever since it was first discovered back in 2013. Yes, this Trojan is not a new infection, but because it continues to exist and to attack systems, it is important to talk about it and remind ourselves how to take care of our Android devices.

The first versions of Marcher were different than the most recent ones. These versions were created to steal information directly from the users of Google Play, which, of course, is the app store for Android users. Unfortunately, malware apps often slip past the vigilant eyes of those responsible for keeping Google Play malware-free. According to a study conducted by the University of Sydney and CSIRO, thousands of counterfeit apps can be found on Google Play. These apps look like legitimate, popular, and well-liked apps, and Android users can be tricked into downloading them without understanding the consequences. Marcher does not rely on fake apps alone. In fact, in the more recent attacks, this infection was distributed using SMS and MMS phishing scams as well as misleading advertising on websites presenting adult content. In any case, action from victims is necessary for the Trojan to slither in, and that is why it is important that we all take a look at how we interact with our devices.

Researchers at the Cyxtera have found that some versions of the Marcher Trojan can bypass two-factor authentication. This is done by intercepting SMS messages that the authentication codes are sent as. Furthermore, the threat can overlap other apps to gather sensitive user information. According to the researchers, 50 institutions can be hit during one individual attack from Marcher, which signifies the Trojan’s reach and power. That, of course, does not mean that this infection is targeted at larger companies or institutions alone. Anyone could be affected by it, and it is important to pay close attention to all apps installed on the device.

If Marcher finds its way into a device, it can be extremely dangerous. For one, it can steal SMS messages, which could allow remote attackers to take over two-factor verification codes and, eventually, hijack victims’ accounts. The threat can also send SMS messages, lock the device, and enable or disable sound to conceal malicious activity. Essentially, the attackers behind this malware can send any command from a remote location, and that is what makes Marcher unpredictable. The worst thing that the Trojan appears to be capable of is overlapping apps. Using this function, the attackers can mimic login screens of certain apps to record login credentials and then hijack accounts. This is most likely to be used to gain access to online banking accounts, and that is why Marcher is usually known as a banking Trojan.

Resetting the device might be the only way to remove Marcher Trojan, but even then, we cannot guarantee that the infection would be completely gone. Therefore, you need to make sure that it does not infect your Android device in the first place. It is important to have your device protected by reliable security software, but you cannot rely on it completely. You also need to pay attention to the links you click or the apps you download. While it is best to install apps from Google Play, you now know that malicious apps could be distributed using this platform too. Therefore, before you install anything new, make sure you do your research, and do not be blinded by fake reviews and ratings. Ultimately, it is up to Google Play and software developers to detect rogue apps and malicious apps before they reach users.

References

Chabala, D., Fleming, J. January 29, 2019. BankBot Anubis Switches to Chinese and Adds Telegram for C2. PhishLabs.
Gunathillake A., Jourjon G., Karunanayake, N., Rajasegaran, J., and Seneviratne, S. 2019, May 17. A Multi-modal Neural Embeddings Approach for Detecting Mobile Counterfeit Apps. ACM Digital Library.
Porras, E. August 17, 2017. Marcher Trojan Isn't Going Away. It's Getting Smarter. Cyxtera.