The Android trojan known as Marcher is released with a new update. Its new version allows it to display bogus login pages to steal credentials from various popular Android apps.
Android Marcher has appeared on the mobile malware scene Appliances in 2013 and originally had the ability to display a fake screen at the top of the Google Play Store app when the user was starting the application.
This screen asked the user to enter their credit card details, which the malware sent them to a C&C (command and control) server.
Later in 2014, fraudsters added a new feature to phish bank credentials, mostly from financial institutions in Australia, France, Germany, Turkey and the USA.
The latest update discovered by security firm Zscaler appears to add more functions in the trojan.
This time, the malware developer focused on popular Android apps.
So the new updated Marcher can collect login credentials by showing the corresponding fake login page every time the user starts one of the apps: WhatsApp, Viber, Skype, Facebook, Facebook Messenger, Instagram, Twitter, Gmail, Line, UC Browser, Chrome, and Play Store.
Όλα τα δεδομένα αποστέλλονται σε έναν online server που βρίσκεται στον έλεγχο του απατεώνα. Στο παρελθόν αυτά τα δεδομένα μεταδίδονταν σε μορφή απλού κείμενου μέσω http, η τελευταία έκδοση του Marcher τα αποστέλλει κρυπτογραφημένα χρησιμοποιώντας SSL.
How to protect yourself? Try to avoid installing applications outside the Play Store.