Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Is your organization ready for Marcher?
With the abundance of news stories covering data breaches, nation-state cyber espionage, and ransomware running rampant, it’s no secret that malicious software on the internet is no longer a rare occurrence. Most avid computer users put their trust in anti-virus companies to keep them safe from the ever-expanding threat of cyber criminals attempting to steal their information through malware. Unfortunately, the antivirus market on mobile phones doesn’t quite get the love it needs, and when you combine this fact with the carelessness of mobile users, an application disguising itself as an update for a well-recognized app can run rampant scraping phones for photos, contacts, message history, and account logins.
A mobile Trojan, dubbed Marcher by most antivirus firms, targets legitimate banking apps to harvest banking credentials from users’ smartphones. This Trojan is typically disguised as legitimate software purporting to be an update to a popular app or an “unlocked” version of a paid app.
To combat this problem, RiskIQ uses its crawling platform to scan the web for malicious apps in the wild. In a 30 day survey of our resources, we found seven of these malicious Android application packages (APKs) in our database, all with different target sets. Today, we’ll be focusing on a threat actor that is making use of combined domain and brand infringement to target a major financial institution’s customers.
Fig-1 Marcher, the malicious APK
Recently, RiskIQ discovered a malicious app named after a major bank in Europe. To trick customers into downloading the app and running the Trojan, threat actors hosted the app on an infringing domain similar to the bank’s official website. WHOIS information shows us that the site was registered within the past month by a registrant using a free email service, a huge red flag for possible domain infringement. A phishing page registered with the sole intention of fooling customers, this domain also takes on the appearance of the official login page of the targeted bank.
Upon further examination of the APK, we can see that the app is requesting an excessive amount of permissions. Based on what we know about the app—the time it was registered, the developer using a free email service, and the app asking for excessive permissions—we can conclude beyond a reasonable doubt that this app is fraudulent:
Fig-2 A lengthy list of unnecessary permissions
During the investigation of the APK itself, a lot of the Trojan’s “features” became apparent. Upon installation, the malicious app will prompt the user for administrative access so it can install the software:
Fig-3 What the user will see upon installation of Marcher
Once administrative rights are relinquished to the Trojan, the threat actor can send and receive commands to the mobile device via a command and control (C&C) infrastructure set up for the malware to beacon back and send its harvested information. In this specific Trojan, we can see the specified C&C URL within the code of the app:
Fig-4 The malicious app’s code
To harvest a user’s credentials, the Trojan will lie dormant until it detects a banking application in use on the device. When a banking application starts, the Trojan will open a phishing overlay on top of the banking app forcing the user to enter their login credentials, which are then sent back to the C&C for the actor to utilize. This Trojan can also silence notifications on the Android device, enabling the actor to send and receive SMS messages behind the scenes. It will even delete any messages the actor wants to keep out of sight from the user, which allows it to bypass any two-step verification that may be in place to keep accounts safe. In some cases, the Trojan even allows authorization for transfers of money from the compromised accounts of the victim.
Fig-5 First email address used to register infringing domains
Fig-6 Second email address used to register infringing domains. All registrations for both infringing domains and C&C used the same registrant name
Fig-7 Single e-mail address used to register C&C servers
Looking through the source code, we found that 20 different European banks were being targeted by this specific actor. Using PassiveTotal to pivot off of WHOIS information for the C&C server and the domain on which the malicious Trojan was hosted, we were able to find and identify the infrastructure the actor is using to target these banks, including many more domains infringing on other brands. Using this data, we were able to attribute several other malicious APK files used by this actor to target different geographic regions across the world.
Not everything a user sees on the internet is as it seems. As per a recent survey conducted by Ginger Comms on behalf of RiskIQ, 40% of people rarely or never check app details before downloading. This application is not unique, and there are many more out there just like it, all targeting different customers. Here are some things you can do to protect yourself and your device:
Be careful where the applications are coming from.
Treat your mobile devices the same way you treat your personal computer. Official app stores triage and monitor apps for malicious code within them. Updates for your apps should never have to come from a third party website.
Be wary of excessive permissions and anything requesting administrative access.
An excessive permission request could is an obvious sign that the application is up to no good. Apps promising to change your wallpaper but needing access to contacts, text messages, or stored passwords usually aren’t going to change the wallpaper and move on. And no, that fun game you spend hours playing shouldn’t ever need full administration access to your entire device.
RiskIQ continuously scans hundreds of mobile app stores and millions of apps to safeguard brand reputation and customers by detecting malware, application tampering, and brand impersonation. For each customer, RiskIQ creates an inventory of mobile assets that are related to the bank, official and unknown, across the global mobile app ecosystem. This process includes monitoring for new apps, existing apps, app updates, and rogue or fraudulent apps.
Using our data, RiskIQ can detect and monitor these types of threats from the time an infringing domain is registered to the moment the malicious application is hosted for download. Find out more about RiskIQ for Mobile.
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK