In a blog post, cybersecurity firm Zscaler reported finding a malicious HTML page that claims the reader's device is vulnerable to viruses, urging the user to install a firmware update. “Some of your photos, chat messages and account passwords may have become visible to others on the Internet,” the message warns ominously.
Unfortunately, this so-called update is merely the malicious Marcher payload, which upon installation will request administrator access. Once granted admin privileges, the malware can serve its true purpose, impersonating and overlaying legitimate mobile apps with mobile phishing pages that trick users to giving away their credentials and credit card data.
“We have seen PC malware posing as security updates or a malware clean-up utility in the past. With the growing security concerns around mobile malware, this distribution is an attempt to lure users into downloading fake mobile firmware updates to infect their device,” said Deepen Desai, director of security research at Zscaler, in an email interview with SCMagazine.com. “There's a bit of irony here too – users think they are downloading an update to protect their device, when in fact it's actually a malicious application designed to cause harm.”
Previous means of Marcher distribution have included fake Amazon and Google Play store apps, as well as a fake porn site posing as a Chrome update, the blog post stated.
Like its distribution method, Marcher's malicious overlay tactic has evolved since the malware's debut in 2013, Zscaler reported. Originally, the malware exclusively took advantage of Google Play store shoppers by opening a fake overlay page that would not close unless visitors entered their credit card information. By 2014, the malware campaign began targeting global banking institutions, executing fake overlays for financial apps if they were detected on a victim's phone.
Based on newly analyzed samples, however, Marcher is now counterfeiting a wide array of mobile apps including Whatsapp, Skype, Facebook, Instagram, Chrome, Twitter and Gmail and more. “The fake overlay pages look very convincing, almost identical,” said Desai. Even with the new additions, however, “they most often mimic the Google Play payment page or screens for banking or financial applications.”
In the last three months, Zscaler detected over 10 unique Marcher payloads, Desai told SCMagazine.com.
The Zscaler blog post took note of several other new wrinkles in the Marcher campaign, including the introduction of simple obfuscation using base64 encoding and string replace functions. To further boost its own security, the malware now also communicates with its command-and-control server via SSL protocols.
Moreover, these newer Marcher variants will not fully execute if they determine that an infected device is based in Russia or other former Soviet countries. Given that it very well could be Russian in origin, the malware distributors “probably don't want to face any legal actions in their operating territory,” said Desai.