The Marcher trojan has come up with a new way to infect Android users: pose as a fake firmware update.
Researchers at security firm Zscaler explain this version of the malware is being distributed as “Firmware_Update.apk”:
“An HTML page serving this malware scares the victim by showing that the device is vulnerable to viruses and to prevent personal data theft, prompting them to install the fake update.”
The message, which pretends to come from Google, attempts to frighten Android users into believing that their smartphone or tablet is already infected by malware, and that personal information may be accessible to other internet users.
Your phone is insecure!
Your Android device has 3 critical issues and is vulnerable to viruses.
Some of your photos, chat messages and account passwords may have become visible to others on the internet.
To prevent further data leaks please download firmware update.
Upon installation, the Marcher malware asks for administrative access.
The malware needs those privileges to check for banking and payment apps as well as other well-known services installed on the victim’s device, including Facebook, WhatsApp, Instagram, Gmail, and others. If the user opens any of those apps, Marcher will see it coming, overlay a fake login page, and wait for them to enter in their credentials.
Deepen Desai, director of security research at Zscaler, told SCMagazine there’s not much worse than malware masquerading as a security update:
“We have seen PC malware posing as security updates or a malware clean-up utility in the past. With the growing security concerns around mobile malware, this distribution is an attempt to lure users into downloading fake mobile firmware updates to infect their device. There’s a bit of irony here too – users think they are downloading an update to protect their device, when in fact it’s actually a malicious application designed to cause harm.
It just goes to show how far this trojan has come.
First detected in 2013, Marcher began by targeting Android users’ credentials and credit card information on the Google Play Store. From there, it assumed the guise of banking malware and set its sights on financial organizations in Germany.
Marcher eventually expanded its scope to organizations in Australia, France, Turkey, the United States, and most recently the United Kingdom, using emails, URLs, spoofed login pages, fake Adobe Flash Player updates, and malicious apps available on the Google Play Store (like X-Video) to infect a target’s device.
Aside from adopting a new method of distribution, this latest version of the malware employs code obfuscation, communicates with its command-and-control server via SSL, and implements checks to verify whether the victim is located in Russia, Belarus, or other CIS/SIG countries.
Even so, these ongoing updates make Marcher a force to be reckoned with, as Zcaler’s researchers note:
“We are seeing numerous infection attempts in our cloud for this malware family. These frequent changes clearly indicate active malware development that is constantly evolving - making it the most prevalent threat to the Android devices.”
To protect themselves against this newest iteration of Marcher, Android users should download applications only from trusted developers on the Google Play Store and consider installing an anti-virus solution onto their devices.