Security Market Segment LS
Saturday, 12 March 2016 12:57

If you view porn don’t do it on Android – and don’t do it in Australia

By

A new version of Android Marcher Trojan - first seen in 2013 - may give you a few minutes of pleasure but potentially a lifetime of pain. It is attacking Australian users and banks with a passion.

As usual, it comes disguised as a Flash Installer – doesn’t all the best malware come like that – and is served by a majority of porn sites that ‘need to update your Flash Player’. Users are taken to a kosher looking Google Play site where the malware is downloaded and in some cases it asks for a nominal payment so it can get an early march on stealing financial information too.

It can also come via email or SMS where a ‘buddy’ urges you to get free, graphic porn – or some other vicarious appeal – and if you click the link, it downloads AdobeFlashPlayer.apk and asks for Administrator privileges to satisfy your needs.

Once installed it contacts a command and control server and all your data can be compromised. It currently has over 50 payloads doing different things but for the most part, it hijacks banking pages. Google Android apps specifically targeted include Chrome Browser, Phone, Contacts, Browser, Calendar, and Settings. 

Following are some of the financial institution mobile apps that are targeted by Marcher. Note that more than 29% of infections have been reported from Australia:

  • Commonwealth Bank of Australia - NetBank app
  • BankSA - Bank of South Australia
  • BankWest
  • George Bank (St George)
  • ING Direct
  • NAB - National Australia Bank
  • PayPal
  • Westpac

International

  • Commerzbank
  • Deutsche Bank
  • ING DiBa
  • Sparkasse, as well as their subsidiary Star Finanz
  • Adesso
  • Deutsche Postbank
  • DKB, Deutsche Kreditbank
  • DZ Bank
  • Fiducia & GAD IT, the provider for many of Germany's "FinanzGruppe" co-operative banks and savings and loans-type institutions
  • Santander Bank, formerly Sovereign Bank, who are US-based but have international operations, and the German mobile app is targeted specifically
  • Volkswagen Financial Services
  • Lufthansa (the German airline)
  • Caisse D'Epargne, Banque et Assurances (a savings bank)
  • La Banque Postale
  • Mendons, a Michigan-based financial services company
  • WellStar, a healthcare network account management and billpay app
  • PayPal (all regions)

Marcher is available as a kit for sale on the dark web. Buyers represent different threat actor groups with their preferred distribution methods and targets. The kit includes webpages that emulate various login pages or payment card acceptance pages for other mobile apps.

Besides passive placement on unofficial, third-party app repositories, Marcher is actively distributed to potential victims via several different vectors, including:

  • PC adware, including targeting via tracked visits to the websites of targeted financial institutions
  • Mobile adware and "app pushers"
  • Links spammed on microblogging and social media services
  • Links in spam email messages
  • SMS messages, including SMS, sent from users already infected to their contacts

Marcher is a "fire and forget" type of malware.  Once distributed, the cyber-criminal passively collects any stolen data.  It fetches any new fake overlay webpages from a remote server as each monitored package name is detected.

If you think you may have it click on the suspect app in Application manager and uninstall it.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments