DeMISTIfying Infosec: Marcher Trojan

By Katherine Teitler

Marcher Trojan

The Marcher Android Trojan is a malware variant which first emerged in late 2013. Sold on underground forums, the early malware targeted predominantly Russian Android users. Marcher appeared as an overlay “payment” page in Google Play when the user tried to download or install an app, its intent to trick users into entering payment information. The payment information, along with other device information, would then be sent back to the attackers’ command and control (C&C) so the attackers could siphon money and monitor for the launch of other applications which could be configured to allow the attackers to steal more money. 

In 2014 a new variant targeting online banking users, primarily in Germany, emerged. Even though the application type changed, the method of stealing was the same; attackers continued to use overlay screens which asked for users’ credentials as a means to steal information. The overlay screens were customized by the malware authors for the target banks, making them look more realistic and valid to users.

Two years later, in early 2016, Marcher reared its head again, targeting visitors of adult content websites. This new version prompts an install of a fake and infected Adobe Flash Installer Package—appearing as “AdobeFlashPlayer.apk.” For installation, the user is prompted to remove restrictions on installing apps from unknown sources and provides the attackers administrative access to the device, including a list of installed apps which attackers can spoof to further steal credentials and payment information. Along with this version, the authors also launched an attack method which leverages MMS messages to instruct the user to download the X-Video porn app. According to sources, the app itself isn’t infected, but the overlay requesting credit card details is, similar to the earliest Trojan versions.

Marcher’s developers also released a phony Android firmware update,“Firmware_Update.apk” into the wild in 2016. This variant displays a “your device is insecure” message, trying to scare the device owner into installing the malware.


Marchers is mainly distributed via third-party applications, through malvertising, adware, malicious links in email/MMS/SMS, and on blog sites and social media. Some versions of the Trojan are capable of blocking well-known antivirus software.

The best way to prevent Marcher from spreading or becoming effective is to install only apps from approved Android sources, avoid clicking on links from unknown or suspicious sources, and to not enter payment information unless it was a user-initiated action.

Get the DeMISTIfying InfoSec newsletter every Tuesday!


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.