A few months ago, we reported about a certain Android malware being back with a vengeance.
This particular attack is extremely devious as it tricks users into relinquishing credentials and credit card information by overlaying real applications with fake mobile phishing pages resembling the real thing.
This time, it looks like it added another vector of attack.
Instead of infecting via SMS text messages or malicious links, reports are emerging that the malware is now posing as a fake Android firmware update.
According to cloud security company Zscaler, the pesky Android malware Marcher is now being deployed with an HTML page that tries to fool Android users into thinking that their device has "critical issues" and "is vulnerable to viruses."
A warning that the user's photos, chat messages, and passwords "have become visible to others on the internet" also accompany the page.
The page then provides a link that is supposed be a firmware update that will fix the issues. Instead of an actual Android update, it installs the Marcher malware instead.
Upon installation, the "firmware update" will ask for administrative access, but it's actually granting the Marcher malware the ability to do its dirty job: impersonate legitimate apps and overlay them with fake ones.
Hijacked apps with the fake overlays include banking apps and these popular ones:
- Google Play store
- Facebook Messenger
- UC Browser
The overlays will look like the legitimate login pages of the apps affected, but they're actually mobile phishing sites designed to steal your user credentials and credit card and banking information.
Yep, it's a prevalent tactic in the cybercrime world, the supposed security firmware update that should protect you against malware is a nasty malware itself.