Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
April 12, 2017, Michael De Vegas
Is your organization ready for Marcher?
With the abundance of news stories covering data breaches, nation-state cyber espionage, and ransomware running rampant, it’s no secret that malicious software on the internet is no longer a rare occurrence. Most avid computer users put their trust in anti-virus companies to keep them safe from the ever-expanding threat of cyber criminals attempting to steal their information through malware. Unfortunately, the antivirus market on mobile phones doesn’t quite get the love it needs, and when you combine this fact with the carelessness of mobile users, an application disguising itself as an update for a well-recognized app can run rampant scraping phones for photos, contacts, message history, and account logins.
A mobile Trojan, dubbed Marcher by most antivirus firms, targets legitimate banking apps to harvest banking credentials from users’ smartphones. This Trojan is typically disguised as legitimate software purporting to be an update to a popular app or an “unlocked” version of a paid app.
To combat this problem, RiskIQ uses its crawling platform to scan the web for malicious apps in the wild. In a 30 day survey of our resources, we found seven of these malicious Android application packages (APKs) in our database, all with different target sets. Today, we’ll be focusing on a threat actor that is making use of combined domain and brand infringement to target a major financial institution’s customers.
Fig-1 Marcher, the malicious APK
Recently, RiskIQ discovered a malicious app named after a major bank in Europe. To trick customers into downloading the app and running the Trojan, threat actors hosted the app on an infringing domain similar to the bank’s official website. WHOIS information shows us that the site was registered within the past month by a registrant using a free email service, a huge red flag for possible domain infringement. A phishing page registered with the sole intention of fooling customers, this domain also takes on the appearance of the official login page of the targeted bank.
Upon further examination of the APK, we can see that the app is requesting an excessive amount of permissions. Based on what we know about the app—the time it was registered, the developer using a free email service, and the app asking for excessive permissions—we can conclude beyond a reasonable doubt that this app is fraudulent:
Fig-2 A lengthy list of unnecessary permissions
During the investigation of the APK itself, a lot of the Trojan’s “features” became apparent. Upon installation, the malicious app will prompt the user for administrative access so it can install the software:
Fig-3 What the user will see upon installation of Marcher
Once administrative rights are relinquished to the Trojan, the threat actor can send and receive commands to the mobile device via a command and control (C&C) infrastructure set up for the malware to beacon back and send its harvested information. In this specific Trojan, we can see the specified C&C URL within the code of the app:
Fig-4 The malicious app’s code
To harvest a user’s credentials, the Trojan will lie dormant until it detects a banking application in use on the device. When a banking application starts, the Trojan will open a phishing overlay on top of the banking app forcing the user to enter their login credentials, which are then sent back to the C&C for the actor to utilize. This Trojan can also silence notifications on the Android device, enabling the actor to send and receive SMS messages behind the scenes. It will even delete any messages the actor wants to keep out of sight from the user, which allows it to bypass any two-step verification that may be in place to keep accounts safe. In some cases, the Trojan even allows authorization for transfers of money from the compromised accounts of the victim.
Fig-5 First email address used to register infringing domains
Fig-6 Second email address used to register infringing domains. All registrations for both infringing domains and C&C used the same registrant name
Fig-7 Single e-mail address used to register C&C servers
Looking through the source code, we found that 20 different European banks were being targeted by this specific actor. Using PassiveTotal to pivot off of WHOIS information for the C&C server and the domain on which the malicious Trojan was hosted, we were able to find and identify the infrastructure the actor is using to target these banks, including many more domains infringing on other brands. Using this data, we were able to attribute several other malicious APK files used by this actor to target different geographic regions across the world.
Not everything a user sees on the internet is as it seems. As per a recent survey conducted by Ginger Comms on behalf of RiskIQ, 40% of people rarely or never check app details before downloading. This application is not unique, and there are many more out there just like it, all targeting different customers. Here are some things you can do to protect yourself and your device:
Be careful where the applications are coming from.
Treat your mobile devices the same way you treat your personal computer. Official app stores triage and monitor apps for malicious code within them. Updates for your apps should never have to come from a third party website.
Be wary of excessive permissions and anything requesting administrative access.
An excessive permission request could is an obvious sign that the application is up to no good. Apps promising to change your wallpaper but needing access to contacts, text messages, or stored passwords usually aren’t going to change the wallpaper and move on. And no, that fun game you spend hours playing shouldn’t ever need full administration access to your entire device.
RiskIQ continuously scans hundreds of mobile app stores and millions of apps to safeguard brand reputation and customers by detecting malware, application tampering, and brand impersonation. For each customer, RiskIQ creates an inventory of mobile assets that are related to the bank, official and unknown, across the global mobile app ecosystem. This process includes monitoring for new apps, existing apps, app updates, and rogue or fraudulent apps.
Using our data, RiskIQ can detect and monitor these types of threats from the time an infringing domain is registered to the moment the malicious application is hosted for download. Find out more about RiskIQ for Mobile.