Is your organization ready for Marcher?
With the abundance of news stories covering data breaches, nation-state cyber espionage, and ransomware running rampant, it’s no secret that malicious software on the internet is no longer a rare occurrence. Most avid computer users put their trust in anti-virus companies to keep them safe from the ever-expanding threat of cyber criminals attempting to steal their information through malware. Unfortunately, the antivirus market on mobile phones doesn’t quite get the love it needs, and when you combine this fact with the carelessness of mobile users, an application disguising itself as an update for a well-recognized app can run rampant scraping phones for photos, contacts, message history, and account logins.
The Marcher Android BankBot
A mobile Trojan, dubbed Marcher by most antivirus firms, targets legitimate banking apps to harvest banking credentials from users’ smartphones. This Trojan is typically disguised as legitimate software purporting to be an update to a popular app or an “unlocked” version of a paid app.
To combat this problem, RiskIQ uses its crawling platform to scan the web for malicious apps in the wild. In a 30 day survey of our resources, we found seven of these malicious Android application packages (APKs) in our database, all with different target sets. Today, we’ll be focusing on a threat actor that is making use of combined domain and brand infringement to target a major financial institution’s customers.
Recently, RiskIQ discovered a malicious app named after a major bank in Europe. To trick customers into downloading the app and running the Trojan, threat actors hosted the app on an infringing domain similar to the bank’s official website. WHOIS information shows us that the site was registered within the past month by a registrant using a free email service, a huge red flag for possible domain infringement. A phishing page registered with the sole intention of fooling customers, this domain also takes on the appearance of the official login page of the targeted bank.
Upon further examination of the APK, we can see that the app is requesting an excessive amount of permissions. Based on what we know about the app—the time it was registered, the developer using a free email service, and the app asking for excessive permissions—we can conclude beyond a reasonable doubt that this app is fraudulent:
During the investigation of the APK itself, a lot of the Trojan's “features” became apparent. Upon installation, the malicious app will prompt the user for administrative access so it can install the software:
Once administrative rights are relinquished to the Trojan, the threat actor can send and receive commands to the mobile device via a command and control (C&C) infrastructure set up for the malware to beacon back and send its harvested information. In this specific Trojan, we can see the specified C&C URL within the code of the app:
To harvest a user’s credentials, the Trojan will lie dormant until it detects a banking application in use on the device. When a banking application starts, the Trojan will open a phishing overlay on top of the banking app forcing the user to enter their login credentials, which are then sent back to the C&C for the actor to utilize. This Trojan can also silence notifications on the Android device, enabling the actor to send and receive SMS messages behind the scenes. It will even delete any messages the actor wants to keep out of sight from the user, which allows it to bypass any two-step verification that may be in place to keep accounts safe. In some cases, the Trojan even allows authorization for transfers of money from the compromised accounts of the victim.
Looking through the source code, we found that 20 different European banks were being targeted by this specific actor. Using PassiveTotal to pivot off of WHOIS information for the C&C server and the domain on which the malicious Trojan was hosted, we were able to find and identify the infrastructure the actor is using to target these banks, including many more domains infringing on other brands. Using this data, we were able to attribute several other malicious APK files used by this actor to target different geographic regions across the world.
Not everything a user sees on the internet is as it seems. As per a recent survey conducted by Ginger Comms on behalf of RiskIQ, 40% of people rarely or never check app details before downloading. This application is not unique, and there are many more out there just like it, all targeting different customers. Here are some things you can do to protect yourself and your device:
Be careful where the applications are coming from.
Treat your mobile devices the same way you treat your personal computer. Official app stores triage and monitor apps for malicious code within them. Updates for your apps should never have to come from a third party website.
Be wary of excessive permissions and anything requesting administrative access.
An excessive permission request could is an obvious sign that the application is up to no good. Apps promising to change your wallpaper but needing access to contacts, text messages, or stored passwords usually aren’t going to change the wallpaper and move on. And no, that fun game you spend hours playing shouldn’t ever need full administration access to your entire device.
Mobile App Monitoring
RiskIQ continuously scans hundreds of mobile app stores and millions of apps to safeguard brand reputation and customers by detecting malware, application tampering, and brand impersonation. For each customer, RiskIQ creates an inventory of mobile assets that are related to the bank, official and unknown, across the global mobile app ecosystem. This process includes monitoring for new apps, existing apps, app updates, and rogue or fraudulent apps.
Using our data, RiskIQ can detect and monitor these types of threats from the time an infringing domain is registered to the moment the malicious application is hosted for download. Find out more about RiskIQ for Mobile.