Your IP: Unknown · Your Status: Unprotected Protected

Blog News

New Android threat combines phishing, malware and banking data theft

Nov 07, 2017 · 3 min read

New Android threat combines phishing, malware and banking data theft

Three common security threats band together into one multi-step attack with the newest evolution of the Marcher malware, Proofpoint researchers warned in a report released last week.

Researchers warn about evolving threats

The researchers revealed that the new evolved Marcher malware combines phishing, banking trojan and credit card data theft into one multi-step scheme, putting the banking accounts of Android users at risk.

“As our computing increasingly crosses multiple screens, we should expect to see threats extending across mobile and desktop environments,” they noted.

They stated further that attacks based on Marcher have turned into increasingly sophisticated schemes, with reported cases involving several different attack vectors and a variety of targeted financial services and communication platforms.

While attacks involving phishing or malware have become typical, the combination of these strategies in a single campaign targeting financial accounts of Android users is unusual. It demonstrates the extent to which cyber criminals are willing to play a longer game to achieve their goals.

How does the multi-step attack work?

Marcher has been known since March 2013, when it initiated in Russian forums; it has since grown to a global threat. It was able to achieve wide-ranging reach as it became a part of a malware-as-a-service scheme, allowing anyone to utilize its components. Marcher made headlines a few times earlier this year – for instance, in June, a type of the malware was disguised as a Flash update.

Although the Marcher malware is usually passed around via text messages, this campaign circulates the malicious code via a link in an email. The link is shortened to avoid detection. People who click on the link are sent to a fake Bank Austria webpage and asked to enter their login credentials, phone number and email address.

Fake Bank Austria website

Image: Proofpoint

Using the stolen details, the attackers send the users a warning in a message featuring fake Bank Austria branding. It claims the target doesn’t have the “Bank Austria Security App” installed on their smartphone. The user is then directed to another shortened URL that leads to the installation of the app, which infects user’s device with the Marcher malware.

Besides acting as a banking trojan, overlaying a genuine banking app with an identically styled credential theft page, the malware also requests credit card information from infected users each time they open applications such as the Google Play Store.

The app also asks for a number of permissions, such as to directly call phone numbers, access contacts, read/write messages, modify settings, and force the device to lock, among many others. These include permission to act as a device administrator, which the report says should seldom be given to an app.

Message of malware asking for permissions

The attackers also ask for information including date of birth, address, and password to ensure they have all the data they need to exploit the stolen credentials against the law.

What can you do to protect yourself?

To avoid falling victim to such attacks, people should be wary of installing new apps from unofficial sources, particularly those that request permissions that seem to be unrelated to their functionality. They should be on the lookout for bogus banking sites that ask for more information than users would typically provide on legitimate sites.

Tips for Spotting a Phishing Email

  1. Examine the sender’s email address. Don’t just trust the official display name – pay closer attention to the email address. If the domain strikes you as not quite right (e.g.,, don’t open the email.
  2. Check for spelling and grammar mistakes. Serious companies don’t usually pester their customers with emails that contain bad grammar and basic spelling mistakes.
  3. Analyze the salutation. Your bank or another legitimate institution would usually address you by your full name. If you see a vague “Dear user” or similar instead, remain watchful.
  4. Don’t click on links – instead, hover your mouse over the button to check the destination link. See if it looks legitimate and if it contains the “https” part to indicate a secure connection.
  5. If uncertain, make contact with your bank or other institution over the phone or a different email address and ask to confirm if the email is legitimate.

For added security, use a VPN. NordVPN’s CyberSec feature protects from malware, annoying ads and phishing attempts. It checks each website the user tries to access against a list of malicious sites. Any site included in the phishing blacklist is blocked before any harm can be done.

Ruby Gonzalez
Ruby Gonzalez successVerified author

Ruby is a cybersecurity expert and the Head of Communications at NordVPN. In her compelling stories, she sheds light upon the latest happenings in the online privacy and security world.

Subscribe to NordVPN blog