Marcher has the ability to evade anti-virus detection.
Cyber-security researchers at Securify, a Dutch security firm, have been evaluating the Marcher Android banking Trojan for the past six months.
They have come to the conclusion that Marcher has been there since 2013 and its attacking tactics have been evolving since then.
Until now, the Trojan has managed to infect thousands of Android devices with a single botnet and also stolen a considerable number of payment cards.
On the whole, 9 Marcher botnets have been discovered by the researchers.
According to Securify researchers, in late 2013 when the Trojan became activated it trapped users through Google Play phishing pages to get their payment card details.
In March 2014, the primary focus of attacks became German financial institutions because analysis suggested that a majority of Marcher’s victims were Germany-based banks. However, by 2016, the malware’s target list spread to over 60 organizations across the United States, United Kingdom, France, Australia, Spain, Poland, Turkey and many other countries.
The malware was hidden in apps that were believed to be harmless and pretty reliable such as Netflix, Super Mario Run game and the popular messaging app WhatsApp.
Securify researchers explained about the malware: “Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground.
This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory).”
Securify researchers have identified the nine botnets of Marcher and each of the botnets contain new modules and can perform targeted web injects as directed by the attackers.
One of the nine botnets targets banks in France, Austria and Germany and until now it has managed to infect over 11,000 devices.
5,700 infected devices were in Germany while 2,200 in France and the command and control server of the attackers has stored 1,300 payment card numbers apart from other significant banking data.
Although most of the devices that got infected through Marcher were using the Android 6.0.1 version, it is also a fact that over 100 infected devices were running Android 7.0. Marcher performs its task by firstly inspecting the apps enabled by the victim and if the targeted app is identified, then it displays an overlay screen to deceive the victim and obtain sensitive information.
The malware can also avoid detection or removal by security products by blocking mobile antivirus applications.
Around seven months back, researchers noted that Marcher was able to block eight antivirus apps and according to latest analysis it can block over two dozen apps.
IBM Security reported in early June that nine major banks in the United Kingdom had also been added to the list of targets. Samples analyzed by PhishLabs this month target the customers of 66 companies, including 62 banks, Google email services and PayPal.
IBM reported earlier this month that the United States was the sixth most targeted country, but PhishLabs said on Thursday that the latest Marcher samples it has analyzed don’t target the U.S.
“Because the malware can be customized for each individual actor, it is possible that other Marcher samples may include different targets and regions. Expanded targeting seems likely in future based upon this capability,” PhishLabs researchers explained.