Breaking

LightBlog

Tuesday, March 7, 2017

Android Trojan “Marcher” Almost Impossible to Eliminate

In the recent months, different types of malware manifested itself in various forms, spanning most common platforms. Perhaps the most notorious piece of malicious code came from the FBI themselves; they used a controversial NIT on Tor users worldwide. A more common type of machine infection, within these past few months, took the form of banking trojans. Modernized and increasingly active variants have surfaced as of late, and one such example took the form of an Android trojan called Marcher.

Marcher, according to security analysts, is an especially advanced and increasingly active Android banking trojan. For instance, Android 6 (Marshmallow) packed a wide array of security enhancements when compared to its predecessors. One such enhancement—Runtime Permissions—played an important role in protecting against malware like Marcher. Yet the banking trojan quite capably executes its overlay attack, disregarding Marshmallow’s enhanced security.

According to Pham Duy Phuc, Niels Croese & Han Sahin, most victims fall for a classic phishing attack. The victim receives a message that “includes a link that leads to a fake version of a popular app, using names like Runtastic, WhatsApp or Netflix.” Upon installation, the trojan requests device permissions that may seem normal, along with advanced privileges like “Device Administration.”

Marcher can request privileges intuitively, too. SMS (read and write) permissions appear initially, and allow the first attack vector. The other permission that Marcher “smartly” requests is the Device Administration access permission. In contrast to similar forms of Android malware, Marcher uses this request as a type of Anti-Virus circumvention. Despite being marked malicious by many AV systems, the victim has no choice but to allow Device Administration. “Even when users deny or kill the process it will come up again, until they accept the request. Having this permission enables malware to lock and mute the phone, even reset the password and make a permanent phishing WebView, researchers explained.

The list goes on for quite some time and is remarkably suspicious based on the length of permissions alone. Marcher also takes advantage of the “AndroidProcesses library” that enables the fake application to know exactly which process or application is currently on the screen. Through this library, Marcher utilizes the second attack vector: the overlay attack. And in Android 6.0 and above, overlay attacks are difficult to achieve on a non-rooted device.

Marcher can request privileges intuitively, too. SMS (read and write) permissions appear initially, and allow the first attack vector. The other permission that Marcher “smartly” requests is the Device Administration access permission. In contrast to similar forms of Android malware, Marcher uses this request as a type of Anti-Virus circumvention. Despite being marked malicious by many AV systems, the victim has no choice but to allow Device Administration. “Even when users deny or kill the process it will come up again, until they accept the request. Having this permission enables malware to lock and mute the phone, even reset the password and make a permanent phishing WebView, researchers explained.

The list goes on for quite some time and is remarkably suspicious based on the length of permissions alone. Marcher also takes advantage of the “AndroidProcesses library” that enables the fake application to know exactly which process or application is currently on the screen. Through this library, Marcher utilizes the second attack vector: the overlay attack. And in Android 6.0 and above, overlay attacks are difficult to achieve on a non-rooted device.

In short form, the banking trojan checks which application is currently running and displays a matching overlay. This overlay is considered seamless to the end user, “often indistinguishable from the expected screen.” From this screen overlay, assuming the trojan can target it, Marcher grabs the user’s credentials and relays them back to the C2 back-end.

From the C2 panel, with assistance from a lengthy page of user-allowed privileges, Marcher is highly adaptable. The list below covers the applications already recognized or vulnerable, but hackers add more at their own choosing.

And that’s just a list of the banking apps, so far. Marcher attacks other applications that need a credit card input, even if the app itself is not a banking app. Several credit card company apps are becoming vulnerable as well. The list
Adbox