A few months ago, we reported about a certain Android malware being back with a vengeance.
This particular attack is extremely devious as it tricks users into relinquishing credentials and credit card information by overlaying real applications with fake mobile phishing pages resembling the real thing.
This time, it looks like it added another vector of attack.
Instead of infecting via SMS text messages or malicious links, reports are emerging that the malware is now posing as a fake Android firmware update.
According to cloud security company Zscaler, the pesky Android malware Marcher is now being deployed with an HTML page that tries to fool Android users into thinking that their device has "critical issues" and "is vulnerable to viruses."
A warning that the user's photos, chat messages, and passwords "have become visible to others on the internet" also accompany the page.
The page then provides a link that is supposed be a firmware update that will fix the issues. Instead of an actual Android update, it installs the Marcher malware instead.
Upon installation, the "firmware update" will ask for administrative access, but it's actually granting the Marcher malware the ability to do its dirty job: impersonate legitimate apps and overlay them with fake ones.
Hijacked apps with the fake overlays include banking apps and these popular ones:
- Google Play store
- Facebook Messenger
- UC Browser
The overlays will look like the legitimate login pages of the apps affected, but they're actually mobile phishing sites designed to steal your user credentials and credit card and banking information.
Yep, it's a prevalent tactic in the cybercrime world, the supposed security firmware update that should protect you against malware is a nasty malware itself.
Marcher is evolving
The security researchers also noticed a recent change on how the Marcher malware communicates with the attackers' command and control center. They say the malware is now relaying communication with a more secure SSL encryption protocol.
Another change is the geographic scope of the targets. In 2013, Marcher was only targeting Russian mobile users. Now, it is reversed and it will stop activity if the device is determined to be based in Russia or another Commonwealth of Independent States country. This implies that Marcher is indeed Russian in origin.
This also tells us that the Marcher threat actors are actively monitoring the malware and are constantly updating it to suit their changing needs.
This makes Marcher the foremost Android malware threat out there.
Protect yourself against Marcher
As always, to protect yourself against Marcher and other Android malware, the best practice is to avoid downloading and installing apps from "Unknown Sources." Only download apps from the official Google Play app store and make sure you check user reviews, too, before installing.
Second, be careful with links and websites you visit. Drive-by malware downloads could happen anytime without you knowing it. Don't grant any system permissions to prompts coming from unknown sources.
And lastly, always be vigilant. As seen with this new Marcher malware tactic, things are sometimes not what they seem.
For more news and security tips from America's digital goddess, Kim Komando, visit komando.com.