The technologies that we use daily continue to change and improve over the years, and it is the same with widely used types of implements and programming within the internet. In addition, as these continue to grow and evolve, as do attackers adapt their methods to better compromise systems and networks. There are numerous threats that have made quite a name for themselves as they successfully breach and attack various types of devices. One of these has been a type of malware called Marcher, which generally targets Android devices and its purpose is to steal credit card and banking data.
Marcher has been quite prominent and has had security researchers watching it for some time now. It has been employed in a few different forms designed to fly under the radar of individuals, such as being disguised as the Google Play Store and fake mobile game downloads. Of course, these methods were eventually discovered and a flurry of patches and warnings went out to prevent the malware from compromising further devices. But, it has once again surfaced in a new form, this time being hidden in a fake Adobe flash player update.
How the Malware Infects Devices
Flash is a very common technology that has been employed since the early days of the internet. It is what allows us to play numerous online games and watch many videos, and it has been extremely useful in that avenue, despite having seen its fair share of bugs and compromises over the years. With Flash being an older technology, numerous vulnerabilities have continued to be discovered within it, even prompting Adobe to decide that they will discontinue Flash in 2020 in favor of more evolved forms like HTML5.
Now, the core of what allows Marcher malware to infect systems does not really have anything to do directly with Flash, other than it purporting itself as being an update for the Flash player. Upon the user opening the dropper URL, it will pop up on an individual’s screen with an official looking prompt saying their Flash player is out of date, and it will then drop a file on their device called “Adobe_Flash_2016.apk.” The displayed screen lists a couple steps that the user must take for it to install, which includes changing their security settings to allow installations from unknown sources, which permits it to then install on the device. Once the infection has taken place, the malware will contact the Command and Control (C&C) servers. At this point, it lies in wait until it detects that the user has opened one of 40 recognized financial apps. It will then create an overlay that looks almost identical to the real app login screen. Of course, if the user then enters their information, it will be sent to the hackers to use for their malicious purposes.
This malware does an excellent job at hiding itself, as it is much harder for antivirus programs to detect it. As such, it lies heavily in the hands of Android users to ensure that their devices are not infected. There are a couple different things to keep in mind to prevent this, including:
- Suspect Download Prompts – It is advised that one is always suspicious of any download prompts. Attackers like to piggyback on legitimate company names, so it is good to be suspicious of any pop ups claiming to be known companies as well. Only download updates from the official sites to help prevent this.
- Avoid Third Party Downloads – Ideally, an individual should never download anything from third party sites. A large example of this is in the realm of apps. There are numerous sites and services that offer app downloads, but it is the safest to stick with the official Google Play Store. Never agree to third party app installations or downloads unless they have been completely verified by security researchers.