This new variant of Marcher, a malware that steals online banking credentials by tricking users with fake overlay pages that impersonate real finance apps, includes in its payload a hard-coded list of targeted apps and the URLs hosting their fake login pages hosting URL. The list contains 54 targeted apps, including ones from such prominent companies as Chase, Citibank, PayPal, TC Bank, Wells Fargo, and more. (A small number of these apps do not appear to fit into the financial category, including Google Play and eBay apps.)
According to Zscaler, a primary source of infection is malicious Popcash.net advertisements that take direct users to a dropper URL, at which time they receive a prompt alerting them that their Flash Player is out of date. Users who are tricked into download the phony update are infected with the malicious APK, which then attempts to coax victims into disabling security features and permitting additional third-party apps to install.
After installation, the highly obfuscated malware registers itself to a malicious command and control server, to which it sends device metadata, an installed apps list, and any credentials that users enter into the fake log-in overlay pages. To avoid suspicion, Marcher will wait a few sleep cycles before employing these overlays, which appear when the user attempts to open up one of the targeted apps.
"We have been seeing regular infection attempts for this Marcher variant in the past month. The frequent changes in the Marcher family indicate that the malware remains an active and prevalent threat to Android devices," the blog post warns.