Leave a comment

Look out for phishing malware posing as Adobe Flash update

Look out for phishing malware posing as Adobe Flash update
© Olivier Le Moal | Dreamstime.com

The foremost Android malware has evolved yet again and this time it is masquerading as another update for a plugin that is still widely used to this day.

It's the latest variant of a long line of disguises this tricky Android malware has assumed since it was discovered in 2013.

The malicious Android software is nicknamed Marcher and it is extremely devious since it tricks users into relinquishing credentials and credit card information by overlaying real applications with fake mobile phishing pages resembling the real thing.

This time, it is assuming the form of a fake Flash Player update. As you may very well know, Flash Player is a widely used video playback plugin that is still used by many websites.

The latest ruse was discovered by Zscaler security researchers and they reported that the technique uses adult content links and the excitement surrounding new mobile games to trick users into downloading the fake Flash Player update. Thankfully, all of the infected apps come from third-party sources and are not available in the Google Play store.

This is how Marcher does its latest wave of infection. Embedded within the affected apps are URL links that are planted with the fake Flash Player update. Once the links are opened by the would-be victim, a message pops up stating the Android gadget's Flash Player is outdated and it requires an update. If the user proceeds with this fake update named "Adobe_Flash_2016.apk," the Android device will be infected with Marcher.

The sneaky malware will even guide the victim on how to disable security settings and permit the gadget to allow other third-party apps to install. Once these third-party apps are installed, the malware's icon is deleted from the phone menu.

Once all the preliminary necessary steps are done, Marcher will then communicate with its command and control center to register the infected device and send pertinent data such as all of its installed apps.

The malware will now wait for the victim to open any of the targeted apps in its list and then overlay them with fake ones.

The overlays will look like the legitimate login pages of the apps affected, but they're actually mobile phishing sites designed to steal your user credentials and credit card and banking information.

Popular apps being targeted for the fake overlays include the Google Play store, PayPal, Chase, Wells Fargo, Morgan Stanley, Amazon, American Express, Schwab, Citibank, Western Union, TDBank, Walmart, eBay, Facebook and others.

Here's the full list of the overlayed apps from Zscaler:

  • com.android.vending
  • org.morgbigorg.nonem
  • com.google.android.gm
  • com.yahoo.mobile.client.android.mail
  • com.htc.android.mail
  • com.android.email
  • com.paypal.android.p2pmobile
  • com.chase.sig.android
  • com.suntrust.mobilebanking
  • com.wf.wellsfargomobile
  • com.citi.citimobile
  • com.konylabs.capitalone
  • com.infonow.bofa
  • com.morganstanley.clientmobile.prod
  • com.amazon.mShop.android.shopping
  • com.htsu.hsbcpersonalbanking
  • com.usaa.mobile.android.usaa
  • com.schwab.mobile
  • com.americanexpress.android.acctsvcs.us
  • com.pnc.ecommerce.mobile
  • com.regions.mobbanking
  • com.clairmail.fth
  • com.grppl.android.shell.BOS
  • com.tdbank
  • com.huntington.m
  • com.citizensbank.androidapp
  • com.usbank.mobilebanking
  • com.key.android
  • com.ally.MobileBanking
  • com.unionbank.ecommerce.mobile.android
  • com.mfoundry.mb.android.mb_BMOH071025661
  • com.bbt.cmol
  • com.sovereign.santander
  • com.mtb.mbanking.sc.retail.prod
  • com.fi9293.godough
  • com.circle.android
  • com.coinbase.android
  • com.walmart.android
  • com.bestbuy.android
  • com.gyft.android
  • com.commbank.netbank
  • org.westpac.bank
  • au.com.nab.mobile
  • org.stgeorge.bank
  • com.facebook.katana
  • com.moneybookers.skrillpayments
  • com.westernunion.android.mtapp
  • au.com.ingdirect.android
  • au.com.bankwest.mobile
  • org.banksa.bank
  • com.ebay.mobile
  • com.ebay.gumtree.au
  • com.anz.android.gomoney
  • com.anz.android

Click here to read Zscaler's full report.

Zscaler also notes that this current variant of Marcher can bypass most Android antivirus programs so extreme vigilance is required.

Protect yourself against Marcher

As always, to protect yourself against Marcher and other Android malware, the best practice is to avoid downloading and installing apps from "Unknown Sources." Only download apps from the official Google Play app store and make sure you check user reviews, too, before installing.

Second, be careful with links and websites you visit. Drive-by malware downloads could happen anytime without you knowing it. Don't grant any system permissions to prompts coming from unknown sources.

And lastly, always be careful. As seen with this new Marcher malware tactic, things are sometimes not what they seem.

For more news and security tips from America's digital tech expert, Kim Komando, visit komando.com.

More must-read stories:

Watch out! Travel rental scams on the rise

Facebook introducing security feature that's absolutely essential

If your phone rings then stops, don't call back - It's a scam

Next Story
This app can detect heart problems before your doctor
Previous Happening Now

This app can detect heart problems before your doctor

Motorcycle road rage triggers horrifying crash caught on video!
Next Happening Now

Motorcycle road rage triggers horrifying crash caught on video!

View Comments ()