Android Trojan Marcher can steal credentials for Gmail, Facebook, Skype, Instagram and others
Android Trojan Marcher can steal credentials for Gmail, Facebook, Skype, Instagram and others

Android Trojan Marcher can steal credentials for Gmail, Facebook, Skype, Instagram and others

After the new update Marcher, the Android trojan, can appear as fake login screen to the users and then allows it to steal logins from many apps including Gmail, Facebook, Skype, Instagram, WhatsApp etc.

On the mobile phones malware scene Marcher was seen for the first time in the year 2013. At that time, whenever a user started the Google Play Store application, a fake screen was shown by the trojan horse at the top of the store app. This fake screen asked for credit card details which, once provided, were sent to a command and control(malware) server.

By the year 2014, new capabilities were added to it by the Trojan’s creators. They added the ability of phishing of banking credentials, which belonged to financial institutions in United States, Australia, France, Germany and Turkey.

Marcher update expands attacking capabilities:

Zscaler, a global cloud-based information security company, recently detected an update to Marcher. The security company has unveiled that many new apps are added to the attack list of the android trojan horse. Instead of working on more banking related apps, the crooks added many famous and frequently used android apps.

After this new update to Marcher, the trojan has now got the capability to steal login related credentials of the users. For this purpose, the trojan horse makes use of fake login screens. It collects users’ data from many popular apps viz. Google Play Store, Gmail, Chrome, Facebook, Facebook Messenger, Skype, Instagram, WhatsApp, Line, Twitter, UC Browser and the Viber app.

Then the collected credentials are sent to a C&C server, just like many other malwares, that is under the control of trojan makers. Moreover, the Marcher trojan sends the data via a Secure Sockets Layer (SSL) in an encrypted format. While the earlier Marcher versions, sent it online via HTTP simple text format.

How an android device gets infected with the trojan?

Mostly, the up-to-date Marcher infects an Android phone through fake app stores. However, the trojan horse is also spread by appearing as a fake Android firmware security update on some non-official Google domains, Zscaler states. Moreover, in the earlier versions, the Marcher gang also spread the malware via SMS and email spams and also as Adobe Flash Player updates.

In this context, Mr. Viral Gandhi, a Senior Security Researcher at Zscaler, reports “These frequent changes clearly indicate active malware development that is constantly evolving — making it the most prevalent threat to the Android devices.” 

Moreover, there are very low chances that devices get infected if apps are installer from the Play Store, therefore, to stay safe from these threats users are advised that they should only use the official Google Play Store for getting apps and games, even if the trojan horse infects the app store itself.

About Haider Khan

I'm an Independent Cyber Security Researcher, a geek who loves Cyber Security and Technology.