Marcher
Marcher is a banking Trojan that can compromise bank accounts on Android devices. Its features include many traditional ones of its threat class, such as manipulating SMS messages, as well as other ones like locking the phone or altering sound settings. Users should keep anti-malware products installed for detecting and removing Marcher proactively and practice safe browsing behavior for preventing infections.
A Crook Marches to Your Phone through Advertisements
Along with LokiBot and Hqwar, Marcher is one of a series of Trojans that's part of the arsenal of the TipTop threat actors. Their campaigns often compromise bank customers in Russia, although Marcher's feature set is just as much a danger to Android phone owners in Japan, Canada, Egypt or Germany. Losing access to bank accounts and the money therein is a consequence of victims clicking on advertisements a little too trustingly.
Malvertising (or corrupted advertising) is a traditional infection vector for various threats, including banking Trojans like Marcher. In Marcher's case, the advertisements circulate throughout adult streaming media websites and hijack the brands of companies like Germany's Volksbanken Raiffeisenbanken bank. Some versions of the Trojan also employ SMS messaging for self-distribution, which synergizes with other aspects of its payload.
Marcher attacks collect login names, passwords, and related credentials, such as credit card numbers, for bank accounts and other, financial transactional services. For doing so, the Trojan can intercept SMS messages (for catching temporary passwords and working around 2FA security), send SMS messages and send USSD commands. Which attacks it implements depends on its C&C server commands, and its network infrastructure supports such features as SOCKS 5 proxies and traffic encryption. Malware experts also note its capability of conducting non-data-collecting functions, such as, most drastically, locking the phone.
Slowing Down Cyber-Crime's Marching Route
The risks of operating criminal enterprises targeting Russian residents while living in the same country are part of the history lesson Marcher has to tell. Russian law enforcement's intervention makes it far less likely that future Marcher campaigns will occur through the same individuals. However, malware researchers continue classifying Marcher as a threat that's capable of collecting information or money, at will, should another threat actor pick up where the old ones left off.
Preemptive security is a reasonable deterrent against ad-based attacks and drive-by-downloads misusing website hosting. Users can block risky features, especially Flash, Java, and JavaScript, through most browsers' settings. Update requests always should be rejected unless you can confirm the source as being official. All Web surfers also should be cautious around links to unknown or obfuscated destinations.
Traditional anti-malware programs have various means of protecting your phone and the associated accounts. They can delete Marcher infections, block drive-by-downloads, and warn users before a known, corrupted site loads.
The march of Marcher might be cut short – but nothing is stopping it from starting again, at any time. Since most of the defenses against it are just as appropriate for other banking Trojans, everyone phone owner should be taking the right precautions, anyway.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.