In the security world where Trojans remake themselves more often than a fading Hollywood actor, the Marcher Trojan is no exception. The 3-year-old Marcher has found new relevance targeting Android users visiting porn sites, according to a report from security firm Zscaler.
Over the past month, researchers observed a new Marcher campaign where attackers are attempting to place malware on Android devices by prompting porn surfers to install a malware-infected payload identified as an Adobe Flash Installer Package.
“We have captured over 50 unique payloads from this campaign,” wrote Zscaler in a bulletin posted Thursday. Zscaler told Threatpost it has also documented instances of Marcher malware pushed through popcash[.]net ad network redirects.
Marcher has evolved into a sophisticated Android malware that is fully aware of user device’s application profile, Zscaler said. “This is the first wave where we have seen Marcher variants leveraging a combination of porn lure and [a phony] Adobe Flash Player update,” it added.
While Marcher’s attack methods are new, its goal hasn’t changed. “This malware is still the same – it displays a fake Google Play store payment page and steals financial information from the user,” Zscaler wrote.
For years, the Marcher Trojan has been targeting potential victims with fake Google Play and bank login pages on Android devices. The Trojan has been distributed via third-party app sites, malicious links sent via SMS, and attackers peppering blogging and social media sites with URLs that drive traffic to sites hosting booby-trapped Android apps.
Researchers report that targets are sent porn-themed e-mails or SMS messages with links to malicious sites. Those sites prompt visitors via a pop-up message to download and install an update to the Adobe Flash Player. Attackers try to instill confidence in their victim naming the Flash update “AdobeFlashPlayer.apk.” When a user attempts to install the “AdobeFlashPlayer.apk” they will be asked to uncheck the “install apps from unknown sources” option under Android’s security settings. The victim is then asked by the malware for administrative access, Zscaler said.
Post infection, the Marcher Trojan connects the Android device to the attacker’s command and control server allowing hackers to view a list of programs already running on the device, Zscaler reports. Next, according to researchers, “we also observed a unique approach where the (command and control) server will send a response generating a MMS notification on the infected device saying ‘You have received MMS’ and instructs the user to visit ‘mms-service[.]info/mms’ to see the content of the MMS.”
Victims that follow the link are redirected to Google’s official Google Play store and prompted to install the free X-Video media player app. Recent user reviews of the app are mostly negative with many users complaining the app crashes before installing or installs and won’t launch. According to Zscaler, the X-Video app is not malicious and was given a clean bill of health by Google when security researchers red-flagged the app notifying Google’s Android Team.
Email requests for comment to X-Video’s publisher Xrross Limited by Threatpost were not returned.
After downloading the free X-Video app, the Marcher Trojan then displays a fake Google Play payment screen asking users to update their Google Play credit card information.
Researchers say it’s impossible to determine how many Marcher victims there are. But, as researchers point out, download statistics for the X-Video app on Google Play indicate the app has been downloaded more than 100,000 times.
Zscaler said visiting Google Play and downloading the X-Video app is not a required step in the attack. Any action that leads to the opening of Google Play store app will trigger the fake payment screen to appear, it said.
“This is a new tactic for Marcher where the malware authors are pushing a redirect link to the official Google Play store and the X-Video app,” Zscaler told Threatpost. Researchers theorize the redirect is likely to force the Google Play store app to launch.
According to the firm, newer variants associated with the Marcher porn attacks are also displaying fake online banking login pages to Android users based on what the victim already has installed on their Android device.
“The fake bank login screen will only appear if the device has the relevant online banking app is installed,” Zscaler said.
This is new, researchers report. “Marcher has added support for a wide array of financial institutions and will only target the infected mobile device for the apps that are installed on it making the chances of attack much more successful,” it said.
Zscaler say indications of Marcher infections include the fake Google payment screen popping up and preventing you from accessing the Google Play store without first entering your credit card details.
Alternately, Zscaler suggests Android users who want to check their devices for infection go to Settings > Security > Device Administration. Users should look for an application running with name “Device Admin” and the Adobe Flash player icon.
“If found, you can revoke the administrator rights by clicking on the app and deactivate it. The user can then uninstall the malware by going to Settings > Application manager > AdobeFlashPlayer > Uninstall,” Zscaler said.
