Android Trojan “Marcher” Almost Impossible to Eliminate

In the recent months, different types of malware manifested itself in various forms, spanning most common platforms. Perhaps the most notorious piece of malicious code came from the FBI themselves; they used a controversial NIT on Tor users worldwide. A more common type of machine infection, within these past few months, took the form of banking trojans. Modernized and increasingly active variants have surfaced as of late, and one such example took the form of an Android trojan called Marcher.

Marcher, according to security analysts, is an especially advanced and increasingly active Android banking trojan. For instance, Android 6 (Marshmallow) packed a wide array of security enhancements when compared to its predecessors. One such enhancement—Runtime Permissions—played an important role in protecting against malware like Marcher. Yet the banking trojan quite capably executes its overlay attack, disregarding Marshmallow’s enhanced security.

According to Pham Duy Phuc, Niels Croese Han Sahin, most victims fall for a classic phishing attack. The victim receives a message that “includes a link that leads to a fake version of a popular app, using names like Runtastic, WhatsApp or Netflix.” Upon installation, the trojan requests device permissions that may seem normal, along with advanced privileges like “Device Administration.”

Marcher can request privileges intuitively, too. SMS (read and write) permissions appear initially, and allow the first attack vector. The other permission that Marcher “smartly” requests is the Device Administration access permission. In contrast to similar forms of Android malware, Marcher uses this request as a type of Anti-Virus circumvention. Despite being marked malicious by many AV systems, the victim has no choice but to allow Device Administration. “Even when users deny or kill the process it will come up again, until they accept the request. Having this permission enables malware to lock and mute the phone, even reset the password and make a permanent phishing WebView, researchers explained.

A brief excerpt of Marcher`s required permissions is as follows:

android.permission.CALL_PHONE (call phone numbers)

android.permission.WRITE_SETTINGS (read/write global system settings)

android.permission.RECEIVE_SMS (intercept SMS messages)

android.permission.READ_PHONE_STATE (read phone details of the device such as phone number and serial number)

android.permission.CHANGE_WIFI_STATE (connect to and disconnect from Wi-Fi networks and make changes to configured networks)

The list goes on for quite some time and is remarkably suspicious based on the length of permissions alone. Marcher also takes advantage of the “AndroidProcesses library” that enables the fake application to know exactly which process or application is currently on the screen. Through this library, Marcher utilizes the second attack vector: the overlay attack. And in Android 6.0 and above, overlay attacks are difficult to achieve on a non-rooted device.

In short form, the banking trojan checks which application is currently running and displays a matching overlay. This overlay is considered seamless to the end user, “often indistinguishable from the expected screen.” From this screen overlay, assuming the trojan can target it, Marcher grabs the user’s credentials and relays them back to the C2 back-end.

From the C2 panel, with assistance from a lengthy page of user-allowed privileges, Marcher is highly adaptable. The list below covers the applications already recognized or vulnerable, but hackers add more at their own choosing.

Volksbank Banking; BAWAG P.S.K.; easybank; ErsteBank/Sparkasse netbanking; Bank Austria MobileBanking; Meine Bank; ING-DiBa Banking + Brokerage; Raiffeisen ELBA; Sparkasse; comdirect mobile App; Consorsbank; DKB-Banking; VR-Banking; Postbank Finanzassistent; Santander MobileBanking; Barclays Mobile Banking; Bank of Scotland Mobile Bank; Lloyds Bank Mobile Banking; Halifax Mobile Banking app; HSBC Mobile Banking; NatWest; Royal Bank, RBS; Santander MobileBanking; Ulster Bank ROI; Personal Banking; TSB Mobile Banking; Bualuang mBanking; K-PowerPay mPOS; SCB EASY; Santander Río; Banco do Brasil; Banca Personas; BBVA Colombia; Banco de Bogotá; Bancomer móvil; Banco Provincia; BBVA Francés | Banca Móvil AR; BBVA Continental – Banca Móvil; Banca Móvil BCP; Citibanamex Móvil; AV Villas App; Banco Galici; Davivienda Móvil; Santander Brasil; Bancolombia App Personas; Supermóvil; Banelco MÓVIL; Link Celular; Interbank APP; Bancoomeva Móvil; Banco de Occidente B.P; ING DIRECT Australia Banking; NAB; Bankwest; CommBank; BankSA Mobile Banking; St.George Mobile Banking; Westpac Mobile Banking; Chase Mobile; Citi Mobile®; Schwab Mobile; Wells Fargo Mobile; ING-DiBa Kontostand; Online-Filiale+; DKB-pushTAN; Banque; Mes Comptes – LCL pour mobile; Mes Comptes BNP Paribas; CIC; La Banque Postale; Cyberplus; Ma Banque; L’Appli Société Générale; Santander Totta; Millenniumbcp; ING Direct France; BRED; Pro Entreprises LCL; L’Appli Pro Société Générale; AXA Banque France; Mon Compte-Nickel; Carrefour Banque; Easy Banking; PayPal; Western Union International; Cyberplus PRO; Akbank Direkt; Akbank Direkt Sifreci; CEPTETEB; QNB Finansbank Cep Subesi; Garanti CepBank; Garanti Cep Sifrematik; Garanti Mobile Banking; Halkbank Mobil; ING Mobil; IsCep; fastPay; MobilDeniz; SEKER MOBIL SUBE; VakifBank Mobil Bankacilik; Yapi Kredi Kurumsal Mobil Sube; Yapi Kredi Mobil Sube; Yapi Kredi Mobile;Ziraat Mobil; Akbank Direkt Tablet; SmartBanking SK; CSOB SmartBanking.

And that’s just a list of the banking apps, so far. Marcher attacks other applications that need a credit card input, even if the app itself is not a banking app. Several credit card company apps are becoming vulnerable as well. The list of permissions allows the Trojan to change so frequently – researchers only hope to keep it up. Android 7.x.X remains untested but likely suffers from the same vulnerabilities that Marshmallow does. This is, of course, dependant on specific carrier and phone builds; not every security patch lands simultaneously.