Android malware continues to grow exponentially now that it has overtaken the top position as the most popular OS (across all platforms), making it the target of choice for malware authors. Android Marcher is an Android banker malware that has been on the FortiGuard Labs radar since late 2013. Since that time it has been seen in a number of campaigns targeting many different banks and countries. And now, Marcher has once again resurfaced with a new campaign. Over the past few months we have observed it masking itself in a variety of ways – sometimes hiding behind the icons of games, banks or popular applications to lure victims into installing it on their devices.
Samples from this family of malware show that it usually has a small footprint, keeping all of their phishing pages online, ready to be downloaded whenever the targeted application is open on the device.
After obtaining DeviceAdmin privileges, malware from the Marcher family hides itself and begins waiting. When one of the many targeted apps is opened, it hijacks the main screen and displays a phishing page obtained from a URL, usually of the form https://host/subfolder/njs2/?m=[id_of_app] (in the APPENDIX you will find the targeted apps with related ID.) While the campaign primarily targets banking apps, it does not stop there. It also keeps track of Google Play, PayPal, messaging apps, and social media.
Once credentials are obtained they are sent to the C&C and added to the database. Marcher is able to receive multiple commands through SMS, including but not limited to: intercept SMS, execute USSD codes, send SMS, and lock and unlock the phone. These are the main features of the Marcher family. If you are interested in a more exhaustive, in-depth analysis for the previous version, we recommend that you read this blogpost by the folks at Securify.
Marcher creators are aware of the growing attention it is attracting among the research community. To prevent this, previous Marcher versions had implemented an anti-AV check to prevent security apps from running on the device. The malware checks if a known antivirus app is running on the device (the full list is provided in the APPENDIX). If it is, it redirects the main screen to the HOME screen, as you can see in figure 1 below.
Figure 1: Check for installed AV apps
However, it seems like this was not good enough for the authors. So in the more recent versions, Marcher creators have implemented another check to reduce the effectiveness of researcher analysis. The app now also checks to see if it is running in an emulator or on a real device.
As you can see in the Figure 2, the malware checks for multiple indicators of emulation:
For example, it checks if the IMEI is a default value (000000000000000, 012345678912345, 004999010640000) or if it uses some widely known kernels for emulators (ranchu/goldfish). It also checks for the use of strings “generic”, “unknown,” or others that would suggest the use of an emulator in multiple fields of the Build object.
Figure 2: Anti-emulator code
This check complicates the researcher’s life because modifying these values in emulators is not extremely straightforward (it usually requires a modification of the binary file of the emulator), while code obfuscation makes spotting the routine a little bit harder.
With respect to the Marcher samples we encountered few months ago, between the end of 2016 and the beginning of 2017, the level of obfuscation has been increased even more, to the point where even method calls are disguised using getDeclaredMethod() to retrieve the wanted routine and declaredMethod.invoke() to execute it, in addition to obfuscated strings to evade static analysis. While the obfuscation method used in the old and new versions is the same, in the latest samples there are almost no clear text strings identifiable. In Figure 3 you can see the de-obfuscated strings added as comment.
Figure 3: Code obfuscation
Figure 4: C&C address list
At the time of writing, the C&C panel had already been taken offline. However, SfyLabs were able to get their hands on it and extract the bot list. As you can see in the chart below, roughly 3700 devices were infected, and by a large margin the two most targeted countries were France and Germany.
As usual, our advice is to be careful when you are installing applications on your device. Given the prevalence of Android-based malware, don’t blindly trust third party application marketplaces, or apps advertised via email or text message. Even if the app icon looks legit to you, you never know what could be hidden behind it. A good security practice is to always check the permissions the app requires and only allow those that are strictly necessary.
Fortinet detects this malware with the signature Android/SpyBanker.IS!tr, and detects the older versions of Marcher with the signature Android/Banker.IH!tr.spy.
FortiGuard Labs will follow up on this and keep you updated on this and other android banking malware.
-= FortiGuard Lion Team =-
Package name: etcqlnzwauf.hflivryhdnjb
Package name: snqtu.cgbsbdjj
Package name: gnpwibfapfjtdr.orvcpqiilijrbih
Package name: fvxqpwsunfbvkesmd.xydmpw
ANTIVIRUS APPS CHECKED
BANKS APPS TARGETED