Not very often do we have the chance to observe the full flow of an attack. Usually, we can analyze the malware itself and, in some cases, we manage to identify the infiltration vector. But today we’re laying out the full attack flow of the infamous Marcher mobile banker malware.
The Marcher banker malware first appeared in 2013 and targeted mostly Russian users. The banker malware first targeted only Google Play users to steal their credit card information by showing users fake credit card entry page. But by March 2014, it had evolved and added bank credential theft to its arsenal and was now targeting German bank users. Recently, Marcher resurfaced with a new campaign spreading through porn sites. The malware sells in underground web forums as a Malware-as-a-Service, similar to PC malware kits.
The malware targeted victims using all in-market Android versions including Marshmallow.
Getting In – Flash Phishing
Phishing is still an excellent way to trick people into becoming infected. Below is an example that sent to a Check Point employee:
As you can see, the attacker spoofed his “name” but used a very suspicious address, certainly not one Adobe would use. The phishing is also clearly aimed at Android devices.
If the user clicks the link, it starts a three stepped process, deceives the user into enabling installation from unknown sources (outside Google Play) and then downloads the malicious app.
Once the app is downloaded, it requests extended permissions which enable it to achieve its malicious mission.
On Your Device – The Banker Malware Itself
Marcher is a relatively ordinary banker, but this new version is capable of bypassing Two Factor Authentication (2FA) by stealing SMSs sent to the device. Similar to the infection flow, it achieves this by persuading the user to grant the malware with additional permissions. The Check Point research team has previously reported about this capability used by banker malware.
The malware first steals the list of all apps installed on a device and sends this list to its C&C server to see whether the device contains an app targeted by the malware. Once a targeted app is launched by the user, the malware will present an overlay of the login page to steal the user’s credentials.
The apps targeted in this campaign are all Australian and include the following:
- Bank West
- Commonwealth Bank of Australia
- George Bank
- ING Direct Australia
- Bank of South Australia
- NAB – National Australia Bank
Marcher also targets PayPal, and other samples were reported to target a broad range of banks across various countries. But Marcher goes the extra mile and lures users into logging into their accounts by spoofing notifications from the apps. Once they log into the app, their credentials are stolen.
Completing the Malicious Mission: Data Sent to the C&C
This is an area rarely witnessed by the outside world. We managed to take a look at the C&C repository to see what the attackers were hiding there. We found data collected from infected devices:
- Installed APKs on a device. The table contains more than 13,000 applications.
- Spoofed bank app notifications – Marcher lures users to log into their bank accounts by showing notifications that say that AUD$7900 was added to their account.
- Bot table containing the victims’ identity, including their IMEI, device, OS version, number, location, country and more. The table contains nearly 1,000 victims:
- Details of 540 credit card including name, number, expiration date, and CVC.
- 300 victims’ stolen credentials for different apps (PayPal, Gmail) this is encoded in base 64:
- SMS table – stolen SMSs containing the full text sent. The attackers must steal all SMSs to successfully bypass 2FA:
Examples of stolen SMSs
And oh, the irony!
- Admin credentials
Check Point Mobile Threat Prevention
See it in action:
Schedule a demo of Mobile Threat Prevention
Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.