Three common security threats band together into one multi-step attack with the newest evolution of the Marcher malware, Proofpoint researchers warned in a report released last week.
The researchers revealed that the new evolved Marcher malware combines phishing, banking trojan and credit card data theft into one multi-step scheme, putting the banking accounts of Android users at risk.
“As our computing increasingly crosses multiple screens, we should expect to see threats extending across mobile and desktop environments,” they noted.
They stated further that attacks based on Marcher have turned into increasingly sophisticated schemes, with reported cases involving several different attack vectors and a variety of targeted financial services and communication platforms.
While attacks involving phishing or malware have become typical, the combination of these strategies in a single campaign targeting financial accounts of Android users is unusual. It demonstrates the extent to which cyber criminals are willing to play a longer game to achieve their goals.
Marcher has been known since March 2013, when it initiated in Russian forums; it has since grown to a global threat. It was able to achieve wide-ranging reach as it became a part of a malware-as-a-service scheme, allowing anyone to utilize its components. Marcher made headlines a few times earlier this year – for instance, in June, a type of the malware was disguised as a Flash update.
Although the Marcher malware is usually passed around via text messages, this campaign circulates the malicious code via a link in an email. The link is shortened to avoid detection. People who click on the link are sent to a fake Bank Austria webpage and asked to enter their login credentials, phone number and email address.
Using the stolen details, the attackers send the users a warning in a message featuring fake Bank Austria branding. It claims the target doesn’t have the “Bank Austria Security App” installed on their smartphone. The user is then directed to another shortened URL that leads to the installation of the app, which infects user’s device with the Marcher malware.
Besides acting as a banking trojan, overlaying a genuine banking app with an identically styled credential theft page, the malware also requests credit card information from infected users each time they open applications such as the Google Play Store.
The app also asks for a number of permissions, such as to directly call phone numbers, access contacts, read/write messages, modify settings, and force the device to lock, among many others. These include permission to act as a device administrator, which the report says should seldom be given to an app.
The attackers also ask for information including date of birth, address, and password to ensure they have all the data they need to exploit the stolen credentials against the law.
To avoid falling victim to such attacks, people should be wary of installing new apps from unofficial sources, particularly those that request permissions that seem to be unrelated to their functionality. They should be on the lookout for bogus banking sites that ask for more information than users would typically provide on legitimate sites.
For added security, use a VPN. NordVPN’s CyberSec feature protects from malware, annoying ads and phishing attempts. It checks each website the user tries to access against a list of malicious sites. Any site included in the phishing blacklist is blocked before any harm can be done.