​New Marcher Malware Victimized Android Users in a 3-in-1 Scheme 

​Attackers today are taking their time to get what they want. Researchers at Proofpoint revealed that threat actors or actor since the early part of this year has been siphoning bank details of victims in a prolong attack dubbed by some as “triple threat”.
 
According to Proofpoint, the threat actor since January of this year has been targeting customers of Bank Austria, Raiffeisen Meine Bank and Sparkasse Bank by employing three hacking tactics. The description below shows how personal and bank details of nearly 20,000 bank customers in Austria were stolen by the threat actor using these three hacking tactics: malicious emails, malicious websites and malicious software.
 
Step 1: Malicious Email
The threat actor’s point of entry in attacking the victim is through a malicious email. When this email is opened by the victim using an Android phone, the victim is exposed to a malicious link. The email link is a bit.ly shortened link, aimed at evading detection.
 
Step 2: Malicious Site
Once the malicious link is clicked, the victim is redirected to a phishing site – a fake site that copies the layout and content of a landing page of a bank – that asks for an account number and PIN. The image below is an example of the phishing site that copies branding from Bank Austria.
malicious website

Image by Proofpoint

​The URL addresses of the phishing sites have “bankaustria” words on it, fooling victims into thinking that they’re inside the real Bank of Austria website. Here are some of the malicious URL addresses:
hxxp://online.bankaustria.at.id8817062[.]top/
hxxp://online.bankaustria.at.id8817461[.]top/
hxxp://online.bankaustria.at.id8817465[.]top/
hxxp://online.bankaustria.at.id8817466[.]top/
hxxp://online.bankaustria.at.id8817469[.]top/
hxxp://online.bankaustria.at.id58712[.]top/
hxxp://online.bankaustria.at.id58717[.]top/
hxxp://online.bankaustria.at.id58729[.]top/
hxxp://online.bankaustria.at.id58729[.]top/
hxxp://online.bankaustria.at.id87721[.]top/
hxxp://online.bankaustria.at.id87726[.]top/
 
Once the victim enters his or her banking account information on the fake landing page, he or she is then directed to a page that asks email address and phone number. Below is a sample of the page that asks for the email address and phone number.
fake data collector

Image by Proofpoint

​Step 3: Marcher Malware Infection
Once the attacker siphoned the banking and personal information of the victim, the victim is then asked to download a fake mobile app of a targeted bank. The message below is shown to the victim.
marcher malware infection

Image by Proofpoint

​Proofpoint provides the following translation for the message above.
 
***Start of Translation***
Dear Customer,
The system has detected that the Bank Austria Security App is not installed on your smartphone. Due to new EU money laundering guidelines, the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system.
 
Please install the app immediately to avoid blocking your account.
 
Follow the instructions at the bottom of this page.
 
Why you need the Bank Austria Security App:
Due to outdated technology of the mobile network important data such as mTan SMS and online banking connections are transmitted unencrypted.
 
Our security app allows us to transmit this sensitive data encrypted to you, thus increasing the security that you will not suffer any financial loss.
 
Step 1: Download Bank Austria Security App
Download the Bank Austria security app to your Android device. To do this, open the displayed link on your mobile phone by typing in the URL field of your browser or scan the displayed QR code.
***End translation***
 
After this message, the victim is then shown additional instructions in installing the bank’s fake mobile app. Below is the screencap of the additional instruction and corresponding translation by Proofpoint.
marcher malware instructions

Image by Proofpoint

***Start of Translation***
Step 2: Allow installation
Open your device’s settings, select Security or Applications (depending on the device), and check Unknown sources.
 
Step 3: Run installation
Start the Bank Austria security app from the notifications or your download folder, tap Install.
 
After successful installation, tap Open and enable the device administrator. Finished!
***End translation***
 
Once the fake app is installed on the victim’s Android phone, the bank’s icon can be seen on the home screen of the victim’s phone. When the app is used for the first time, the victim is asked to provide his or her credit card number and other personally identifiable information, such as date of birth, address, phone number, password, purportedly for authentication.
 
From the malicious email to the malicious sites, fake bank app, the real bank’s branding is copied, causing the victims to throw away their caution. Victims believed that they’ve downloaded the real mobile app of their bank. They instead downloaded the new version of the malicious software (malware) called “Android.Fakebank.B”, also known as Marcher.
 
Marcher malware is an Android-specific malicious software. It was first observed in the wild in October 2013. An older version of Marcher malware came with a call-barring functionality. This functionality was aimed at stopping customers of South Korean and Russian banks from canceling their payment cards that the Marcher malware itself stole. Once installed, this particular version of Marcher malware registers a BroadcastReceiver component that’s triggered every time the victim tries to make an outgoing call. The malware automatically cancels the call once it determines that the victim is calling any of the customer service call centers of the target banks.
 
Another version of the Marcher malware came with a text message spoofing functionality. Once installed into the victim’s Android phone, this specific Marcher malware spoofs a text message from the targeted bank asking the user to verify a fraudulent transaction. This tricks the victim into logging into a fake mobile app of a bank.

​How to Prevent Marcher Malware Attacks

“As on the desktop, mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites,” researchers at Proofpoint said. “Unusual domains, the use of URL shorteners, and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware.
 
Here are some additional tips to further protect your Android phone from Marcher malware:

  • Keep your software up to date
  • Be discerning when granting permissions requested by mobile apps
  • Install a reputable mobile security app
  • Backup your important data