Researchers at cloud security company ZScaler have discovered a variant of the banking malware Marcher that makes it even more dangerous: It’s lurking on the internet disguised as a Flash update.
Users who open a suspect link will be told they need to update Flash and given the option to download an infected APK file. Opening the APK will prompt the user to disable security and allow installation of third-party apps, at which point the APK installs itself and prepares to steal credentials associated with finance app accounts.
ZScaler’s team goes on to state that less than 20 percent of antivirus software was able to detect this new form of Marcher. Its code is highly obfuscated, and that makes it even more dangerous—those who have it may have their credentials harvested without ever realizing it.
How Marcher steals credentials
This fake Flash version of Marcher operates exactly like older variants. It registers the device with a command and control (C&C) server and waits for an unsuspecting user to open a finance app. It’s then that Marcher springs into action.
SEE: Automated Mobile Application Security Assessment with Mobile Security Framework (TechRepublic Academy)
When a user opens one of over 40 affected apps (Chase, Paypal, Citibank, and even Walmart are among them) Marcher intercepts the login page request and opens a fake one hosted on the internet. If the user logs in, their credentials are as good as stolen—Marcher sends them off to its C&C server immediately.
How to protect yourself
Ideally you won’t ever get infected with this hard-to-spot malware. It has to be installed manually, so the best possible prevention is not falling for its attempts to make you do so.
Third-party Android apps, both legitimate and illegitimate, have to be allowed to install by changing a security setting. By making sure this setting is turned off you’re preventing not just Marcher, but other dangerous apps, from getting installed.
- Open the Settings app.
- Go to Security.
- Find the Unknown Sources item and make sure it’s toggled off.
If you suspect a device does have a Marcher infection don’t give it up for dead—it’s still possible to boot into safe mode to remove malware.
Marcher is a threat for both personal and business devices. If you are responsible for managing Android devices make sure you control app installation to prevent things like Marcher from happening.
Android malware might be everywhere but it can be easy to prevent much of it by disabling app installation outside of the Play Store. Malware from the store is still a problem, so be sure you have a reliable antivirus app installed on Android devices too.
The three big takeaways for TechRepublic readers:
- A new version of the Marcher Android malware is masquerading as an Adobe Flash update.
- Once installed, Marcher redirects app users to false sign-in pages that it uses to steal credentials from finance-related apps.
- Android owners and administrators should be sure third-party app installation is turned off to prevent Marcher and malware like it from being accidentally installed.