Android security triple-whammy: New attack combines phishing, malware, and data theft

Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.
Written by Danny Palmer, Senior Writer

Video: Which days of the week are the worst for security threats?

Attackers are combining credential phishing, credit card data theft, and malware into a single campaign targeting banking details.

While it's common to see attacks involving phishing or malware, the combination of these tactics in a single campaign targeting Android devices of financial services and banking customers indicates the extent to which attackers are willing to play a longer game in order to get to their goal.

The attacks combine phishing with the distribution of the Marcher Android trojan, a form of banking malware which has been active since at least late 2013. Lures previously used to distribute Marcher include a fake software update, a fake security update, and a fake mobile game.

Marcher first originated on Russian underground forums but has since become a global threat, with the trojan targeting bank customers around the world.

Uncovered by researchers at Proofpoint, the latest Marcher campaign has been ongoing since January and uses a multistep scheme to target customers of Austrian banks.

The attacks begin with phishing emails containing a shortened bit.ly link to a fake version of the Bank Austria login page, which has been registered to a number of different domains containing 'bankaustria' in the title, in an effort to trick the user into believing they're visiting the official site.

Those who visit the fake Bank Austria page are asked for their customer details, following which they are asked for their email address and phone number. These details provide the attackers with everything they need to move onto using social engineering to conduct the next stage of the campaign.


Fake Bank Austria page

Image: Proofpoint

Using the stolen information, the attackers send the users a warning in an message featuring Bank Austria branding which claims the target doesn't have the "Bank Austria Security App" installed on their smartphone.

The message claims EU money laundering guidelines mean that the new Bank Austria app is mandatory for customers and that failure to install it will lead to the account being blocked. The user is directed to a shortened URL and with the claim that following the link will lead to the installation of the app.

See also: What is phishing? How to protect yourself from scam emails and more

Those who click through to this are provided with additional instructions on how to download the app, which says the user needs to alter their security settings to allow the download of applications from unknown sources -- a part of the Android ecosystem which attackers regularly exploit to install malware, which in this case enables the installation of Marcher.

The fake app requires extensive permissions including writing and reading external storage, access to precise location, complete control over SMS messages, the ability to read contact data, the ability to read and write system settings, the ability to lock the device and more.

Once fully installed, the malware places a legitimate looking icon on the phone's home screen, again using branding stolen from Bank Austria.

But this version of Marcher isn't just a banking trojan, it also enables the direct theft of credit card details. Those who've installed Marcher are asks for their credit card information when they open applications such as the Google Play store.

The attackers also ask for information including data of birth, address, and password to ensure they have all the data they require to fraudulently exploit the stolen credentials. Each of the overlays are designed to look official via the use of stolen branding.

Data suggests almost 20,000 people clicked through to the campaign, potentially handing their banking details and personal information into the hands of hackers. Similar campaigns have also started targeting Raffeisen and Sparkasse banks.

Proofpoint warns that this type of attack could become more common.

"As our computing increasingly crosses multiple screens, we should expect to see threats extending across mobile and desktop environments. Moreover, as we use mobile devices to access the web and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here," wrote researchers.

In order to avoid falling victim to this type of campaign, users should be wary of unusual domains in general and should be sceptical of any email communication from a bank asking for any sort of credentials. Users should also be wary of downloading apps from unofficial sources which ask for extensive permissions.


The new Marcher campaign attacks on multiple fronts.

Image: iStock

Previous and related coverage

Beware this Android banking malware posing as a software update

Latest version of the mobile malware can steal login credentials from at least 40 banking, retail and social media apps.

Now data-stealing Marcher Android malware is posing as security update

Cybercriminals are telling users their device is at risk from viruses unless they download a particular 'security update' -- which delivers the malware.

IT leader's guide to the threat of cyberwarfare [Tech Pro Research]

This ebook looks at how today's security threats have expanded in their scope and seriousness--and how cyber weapons may define international conflicts in the future.

Read more on cybercrime

Editorial standards