Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Variant of Marcher Android malware poses as Flash Player update

Developers of the Android banking malware Marcher are now disguising the trojan as an Adobe Flash Player update, the cloud security company Zscaler has reported in a Thursday blog post.

This new variant of Marcher, a malware that steals online banking credentials by tricking users with fake overlay pages that impersonate real finance apps, includes in its payload a hard-coded list of targeted apps and the URLs hosting their fake login pages hosting URL. The list contains 54 targeted apps, including ones from such prominent companies as Chase, Citibank, PayPal, TC Bank, Wells Fargo, and more. (A small number of these apps do not appear to fit into the financial category, including Google Play and eBay apps.)

According to Zscaler, a primary source of infection is malicious Popcash.net advertisements that take direct users to a dropper URL, at which time they receive a prompt alerting them that their Flash Player is out of date. Users who are tricked into download the phony update are infected with the malicious APK, which then attempts to coax victims into disabling security features and permitting additional third-party apps to install.

After installation, the highly obfuscated malware registers itself to a malicious command and control server, to which it sends device metadata, an installed apps list, and any credentials that users enter into the fake log-in overlay pages. To avoid suspicion, Marcher will wait a few sleep cycles before employing these overlays, which appear when the user attempts to open up one of the targeted apps.

"We have been seeing regular infection attempts for this Marcher variant in the past month. The frequent changes in the Marcher family indicate that the malware remains an active and prevalent threat to Android devices," the blog post warns.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.