Marcher

The Marcher Trojan is a strain of Android malware that has been active since 2013 and is also known under the alias Rahunok. Throughout the years, a number of updates have been introduced to the Marcher project, making it even more threatening. At first, the Marcher Trojan served to collect Google Playstore login credentials. However, with some of the recent upgrades, the Marcher Trojan has also been enabled to access the text messages of the user, thus having the ability to bypass the two-factor authentication that some websites have.

Propagation Methods

It appears that the main propagation methods involved in the spreading of the Marcher Android Trojan are bogus application downloads, spam text messages and shady application stores. The Marcher Trojan has several different variants, which are meant to support different banking applications, depending on the geographical region of the campaign.

Capabilities

When the Marcher Trojan is deployed on the infected host, it will allow its operators to:

• Access the text messages on the device.
• Send text messages from the device.
• Execute remote commands.
• Turn sounds off/on.
• Switch off the screen.
• Lock the device.
• Inject an overlay.

The Marcher Trojan displays a fake overlay whenever it detects that the user is opening a banking application. This overlay is meant to trick the user into filling in their login credentials, which will be collected by the attacker swiftly. Even the two-factor authentication will not be able to stop the Marcher Trojan, as this threat also has access to the text messages of the victim.

The Marcher Trojan operates very quietly, and the users may never even realize that they have become a victim of a banking Trojan. You should be cautious when downloading new software extremely and never trust third-party websites that host unknown applications. Make sure you also download and install a legitimate anti-virus solution on your Android device to keep it safe in the future.