The Android trojan known as Marcher is released with a new update. Its new version allows it to display bogus login pages to steal credentials from various popular Android apps.
Android Marcher appeared on the 2013 mobile malware scene and initially had the ability to display a fake screen at the top of the Google Play Store app when the user started the app.
This screen asked the user to enter their details creditof the card, which the malware sent to a C&C (command and control) server.
Later in 2014, fraudsters added a new feature to phish bank credentials, mostly from financial institutions in Australia, France, Germany, Turkey and the USA.
The latest update discovered by Zscaler security company seems to add more functionality to the trojan.
This time, the malware developer focused on popular Android apps.
So the new updated Marcher can collect login credentials by showing the corresponding fake login page every time the user starts one of the apps: WhatsApp, Viber, Skype, Facebook, το Facebook Messenger, Instagram, Twitter, Gmail,Line, UC Browser, Chrome, και Play Store.
All data is sent to an online server under the control of the fraudster. In the past, these data were transmitted in plain text via HTTP, the latest version of Marcher sends them encrypted using SSL.
How to protect yourself? Try to avoid installing applications outside the Play Store.