The Marcher Android Trojan updated to the point where it can show fake login screens and steal credentials for various popular Android apps.
Android Marcher first came into existence three years ago and at the time it had the capability of showing a fake screen on top of the Google Play Store app whenever the user started that application.
This screen asked the user to enter their credit card details, which the malware collected and sent to a C&C server.
In another update in 2014, the attackers added the ability to phish for banking credentials, mostly from financial institutions in Australia, France, Germany, Turkey, and the U.S.
The latest update found the Trojan added more items on its target list, said researchers at mobile security firm Zscaler.
This latest update focused on popular Android apps instead of banking applications.
Marcher can now collect login credentials by showing a fake login screen whenever the user starts one of these apps: WhatsApp, Viber, Skype, Facebook, Facebook Messenger, Instagram, Twitter, Gmail, Line, UC Browser, Chrome, and the Play Store.
The stolen data goes to an online server under the attacker’s control. While previously this data transmitted in cleartext via HTTP, newer Marcher versions sent it encrypted via an SSL-protected channel.
This most recent Marcher version reaches Android devices via fake app stores, but Zscaler also discovered attackers using non-official Google domains to spread the malware packed as a fake Android firmware security update.
In the past, the Marcher attackers used to fill Adobe Flash Player updates with the Trojan. The catch is Android devices neither need nor support Flash Player. The also sent out the Trojan via SMS and email spam.
“We are seeing numerous infection attempts in our cloud for this malware family,” said Zscaler Researcher, Viral Gandhi in a blog post. “These frequent changes clearly indicate active malware development that is constantly evolving — making it the most prevalent threat to the Android devices.”
The safest bet for users is to install applications from the Play Store, researchers said.