The notorious Marcher malware is now disguising itself as an Android firmware update, in another demonstration of how cybercriminal tactics are constantly evolving in order to dupe unsuspecting users into installing malicious software.
The Marcher malware has been around since March 2013, and was previously distributed through fake Amazon and Google Play store apps. Once Marcher is installed on an Android device -- it hasn't appeared on any other operating system -- cybercriminals send the victim an alert to log-in to their banking apps, allowing the crooks to make off with the stolen information.
The malware is initially served up by displaying a fake alert on a compromised HTML page, ironically warning the user that their device is vulnerable to computer viruses and data theft, encouraging them to install 'Firmware_Update.apk', a fake security update which will infect the Android device with Marcher.
Once installed, Marcher will ask for administrative access to the infected Android system, allowing the cybercriminals behind it to monitor the device and steal login data of not just banking and payment apps, but also for apps including Facebook, Facebook Messenger, WhatsApp, Instagram, Chrome, Skype, Gmail, the Google Play store, and more.
Marcher will implement checks for each of these well known apps and show a fake login page if any of the apps are opened.
Zscaler has labelled Marcher "the most prevalent threat to the Android devices" due to the constantly evolving nature of the malware. The best way for Android users to avoid falling victim to Marcher is to only download applications from trusted application stores such as Google Play, and not downloading anything from unknown sources.