New Marcher Android Banking Malware

By   ISBuzz Team
Writer , Information Security Buzz | Jun 27, 2017 04:22 am PST

With reports of the New Android Marcher Variant Posing as Adobe Flash Player Update and stealing users’ financial information such as online banking credentials and credit card details, IT security experts commented below.

Nick Bilogorskiy,  Senior Director of Threat Operations at Cyphort:

nick bilogorskiy“Masquerading as Adobe Flash Player Update is a classic malware technique.  We have seen this recently in February 2017 with OSX/MacDownloader, which was a Mac Trojan built to steal passwords from the macOS keychain. It was posing as a fake Flash Player update, was found on the Mac of a human rights advocate and believed to originate from Iran.

“Famous Russian APT Snake, also known as Turla or Uroburos was also distributed in a ZIP archive named Adobe Flash which is a backdoored version of Flash.

“Even back in 2010 when I worked at Facebook, we had to deal with Koobface, a worm that was spreading by delivering Facebook messages to people who are “friends” of a infected user, with links to what purported to be an update of the Adobe Flash player.

“This kind of social engineering is very popular on PCs and on Android devices but would not work on Apple iPhones, because Steve Jobs made a decision in April 2010 to disallow Adobe Flash on Apple mobile platforms. This is another one of the ways iPhones are safer from mobile malware than Android smartphones.

“In 2017, Android malware continues to grow, and while banking Trojans like Marcher are popular, most of the growth is coming from the mobile ransomware segment.  It increased by over 250 percent during the first quarter of 2017, according to Kaspersky, from 61,832 to 218,625 detected files.

“To reduce the risk of infection on Android: lock your phone to only allow downloads from Google Play and avoid apps that have very few reviews.”

Ryan Wilk, Vice President of Customer Success at NuData Security:

ryan wilk“This latest instance of phishing-style malware is a good reminder to consumers to not trust third-party sites, and to go to their phones’ app store or vendors’ sites for apps and updates. Just as consumers have learned to not accept unsolicited phone calls and emails from banks, the same applies to software downloads. These phishing schemes are all about capturing data. At the core, these schemes look to steal users’ authentication credentials and other sensitive information.

“Any company using authentication needs to move toward newer and more secure techniques such as passive biometrics and behavioral analytics that can determine if the expected human user is accessing and transacting on the account– effectively negating the value of these types of phishing schemes and malware.”

John Gunn, CMO at VASCO Data Security:

john gunn“Mobile users will forever fall victim to well-crafted social engineering techniques. What makes Marcher so dangerous is its ability to evade popular antivirus programs that users currently rely on for protection. The only truly effective defense against this attack are newly-developed solutions that identify and mitigate the fake overlay action of Marcher. This is how you stop Marcher from stealing login credentials.”

Frederik Mennes, Senior Manager Market & Security Strategy at VASCO Data Security:

frederik mennes“While during the past years more than 90% of Android mobile banking malware families focused solely on Russian banks and payment organizations, we now see a clear shift to American and European organizations. Last April, the BankBot family targeted over 420 banks, attempting for the first time to steal the logon credentials of many European and American banks via overlay windows. This new variant of Marcher also targets many American organizations. In response to this growing threat, banks should protect their mobile banking apps using security solutions that detect and mitigate the overlay screen.”