Flash. Bang. Wallet: Marcher crooks target UK Android users

Mobile banking trojan matches banks' look and feel

Got Tips? 9 Reg comments
Mobile banking, image via Shutterstock

Miscreants behind the Marcher mobile malware have begun targeting UK banking customers.

The trojan - which already targets banks in other countries, including Germany, Austria, France, Australia and Turkey - has added nine major UK bank brands onto its roster, IBM's X-Force security research team warns.

Marcher is an Android-specific nasty that has been around since late 2013, initially surfacing on Russian-speaking underground cybercrime forums as a tool for snaffling credit card data from compromised devices. Last year Marcher began targeting banks while posing as banking apps, as IBM explains.

Carefully matching each bank’s look and feel, Marcher adapts its fake overlay screens to the organisations it targets. The adaptation is most likely programmed by the original malware developer for an extra fee. However, overlay screens are not complicated to make and can be created by outsourced black-hat developers or the malicious operators.

Marcher is designed to enable either online banking, e-commerce and payment fraud by mimicking the legitimate apps in order to trick prospective marks into handing over payment authorisation credentials. The mobile trojan is further capable of of hijacking SMS messages and selectively forwarding phone calls from a compromised smartphone. The banking malware is designed to phish credentials and intercept the two-factor authentication elements sent to mobile devices.

The Android nasty’s control of the device’s SMS relay and phone calls also allows it to initiate covert text messages/calls to premium toll numbers registered by the cybercriminals in foreign countries, generating yet more illicit income fro the crooks behind the scam in the process.

Marcher spreads to devices via spam emails and text messages that trick prospective marks into thinking they are downloading a Flash update. ®

Sponsored: Ransomware has gone nuclear


Biting the hand that feeds IT © 1998–2020