A piece of Android malware designed to steal banking log-ins has added UK banks to its list of targets in the latest phase of its evolution.
IBM X-Force researchers on Thursday said the Marcher malware has now added nine major bank brands in the UK to its target list; the mobile malware already targets users with accounts at banks in Germany, Austria, France, Australia, and Turkey.
Marcher first appeared in late 2013, being sold on Russian-speaking underground forums. At first, the malware was used to steal credit card information by overlaying a fake screen when users accessed the Google Play app store, which would then request users' credit card number, expiration date, and CVV2 code. In 2014, Marcher began targeting financial services, starting with a large bank in Germany.
Marcher attacks all versions of Android - there is not currently an iOS version of the malware - and researchers at security company Check Point said most of the infections are on devices running the Jelly Bean, KitKat, and Lollipop versions of Android reflecting their popularity. The malware is spread by phishing emails that claim to be a Flash update, and ask users to upgrade their systems in order to protect against data loss and identity theft. "If the user clicks the link, it starts a three stepped process, deceives the user into enabling installation from unknown sources (outside Google Play) and then downloads the malicious app," Check Point said.
IBM's analysis said that upgrades to Marcher - such as the fake overlay screens of the organizations it targets - are most likely programmed by the original malware developer for an extra fee. "However, overlay screens are not complicated to make and can be created by outsourced black-hat developers or the malicious operators," it notes.
The vast majority of targets of the malware (88 percent) are banking apps. However, there are variants of Marcher that are designed to steal other kinds of data, such as business banking log-ins. Some versions target airline apps, payment apps, and ecommerce apps.
IBM warned: "Marcher's theft capabilities allow operators to turn user devices into a central place where they can harvest both credentials and two-factor authentication elements."
Once a device is infected with Marcher, the cybercriminals controlling it will send encourage users to log into their banking apps (and thus hand over their details to the fraudsters) by sending them an SMS message claiming that money has been deposited in their account.
"The curious user is inclined to look into the unexpected transfer and promptly accesses the account. This is the moment Marcher takes action and launches a phishing screen overlay on top of the mobile app/browser. The user unknowingly taps access credentials into the overlay, inadvertently allowing Marcher to steal them," IBM said.
The criminals can do this because the Trojan can hijack SMS messages and selectively forward phone calls from the device. The malware can also initiate covert text messages and calls to premium toll numbers registered by the cybercriminals in foreign countries, which generates even more illicit income. The malware looks for specific bank apps and URLs, and comes loaded with hard-coded screens for some companies it targets, but it also dynamically fetches overlays for a long list of other bank apps.
On top of launching screens on app windows, Marcher also targets bank websites, going into action when victims use their browser to visit a set of predefined sites. IBM said Android users should not follow any URLs from SMS messages or emails that offer app upgrades or tools, to delete apps they no longer use, and regularly update those they do. It said users should not root or jailbreak their devices, or activate sideloading on the device, and only obtain apps from official stores. It added: "Read app permissions. If they require options to charge you money, or be run as admin/root, untick that option or cancel the installation."