Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Marcher steps up game: Malware poses as security update, imitates popular apps

Looking to capitalize on mobile device owners' growing security fears, a new variant of the Android malware Marcher is infecting victims by fraudulently posing as a firmware security update.

In a blog post, cybersecurity firm Zscaler reported finding a malicious HTML page that claims the reader's device is vulnerable to viruses, urging the user to install a firmware update. “Some of your photos, chat messages and account passwords may have become visible to others on the Internet,” the message warns ominously.

Unfortunately, this so-called update is merely the malicious Marcher payload, which upon installation will request administrator access. Once granted admin privileges, the malware can serve its true purpose, impersonating and overlaying legitimate mobile apps with mobile phishing pages that trick users to giving away their credentials and credit card data.

“We have seen PC malware posing as security updates or a malware clean-up utility in the past. With the growing security concerns around mobile malware, this distribution is an attempt to lure users into downloading fake mobile firmware updates to infect their device,” said Deepen Desai, director of security research at Zscaler, in an email interview with “There's a bit of irony here too – users think they are downloading an update to protect their device, when in fact it's actually a malicious application designed to cause harm.”

Previous means of Marcher distribution have included fake Amazon and Google Play store apps, as well as a fake porn site posing as a Chrome update, the blog post stated.

Like its distribution method, Marcher's malicious overlay tactic has evolved since the malware's debut in 2013, Zscaler reported. Originally, the malware exclusively took advantage of Google Play store shoppers by opening a fake overlay page that would not close unless visitors entered their credit card information. By 2014, the malware campaign began targeting global banking institutions, executing fake overlays for financial apps if they were detected on a victim's phone.

Based on newly analyzed samples, however, Marcher is now counterfeiting a wide array of mobile apps including Whatsapp, Skype, Facebook, Instagram, Chrome, Twitter and Gmail and more. “The fake overlay pages look very convincing, almost identical,” said Desai. Even with the new additions, however, “they most often mimic the Google Play payment page or screens for banking or financial applications.”

In the last three months, Zscaler detected over 10 unique Marcher payloads, Desai told

The Zscaler blog post took note of several other new wrinkles in the Marcher campaign, including the introduction of simple obfuscation using base64 encoding and string replace functions. To further boost its own security, the malware now also communicates with its command-and-control server via SSL protocols.

Moreover, these newer Marcher variants will not fully execute if they determine that an infected device is based in Russia or other former Soviet countries. Given that it very well could be Russian in origin, the malware distributors “probably don't want to face any legal actions in their operating territory,” said Desai.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.