The developers of the banking malware “Marcher” are now disguising the Trojan as an “Adobe Flash Player” update, which is tricking users to install it on their devices.
We have to mention that the new variant of Marcher malware is stealing online banking credentials by tricking users with fake overlay pages that impersonate real finance apps, which are included in the hard-coded list of targeted applications and the URLs hosting their fake login pages hosting URL.
The bad news is that the malware is targeting 54 applications, including the ones from well known companies such as PayPal, Wells Fargo, TC Bank, Chase and many others.
Zscaler, a global cloud-based information security company, claims that the primary source of infection is Popcash.net advertisement that is taking users to a fake URL, where they will be prompted to install the latest Flash Player version because it’s out of date. As expected, users are downloading a fake Flash Player update, which is actually the “Marcher” malware.
Once the malware gets installed on your device, it will attempt to disable the security features, allowing additional third-party applications to get installed. Then, the malware is using a malicious command that will send device metadata, a list of installed applications and credentials that the user has used into the fake log-in overlay pages.
Keep in mind that the malware will also wait a few sleep cycles before trying to send this data, as these overlays will appear when the user attempts to open one of the targeted applications.
It seems that more and more malwares are making their way to the Android devices. Even if you have an anti-virus installed on your device, we suggest you to look twice before installing an application on your handset. If you notice that some money is missing from your bank account, contact your bank as soon as possible and inform them about your issue.