Android Banking Trojan ‘Marcher’ Targets Latin America

Recently PhishLabs wrote about how Android/Marcher, one of the most prevalent Android banking Trojans, increased its geographic coverage by adding banking and financial institutions from Turkey and the United Kingdom to its target list. Recently Intel Security Mobile Research found new variants of Android/Marcher that monitor the execution of banking apps exclusively from Latin America (Argentina, Brazil, Chile, Colombia, Mexico, and Peru) to display an overlay phishing screen to steal the banking credentials of the victims.

The malicious apps have been seen in the wild using names such as eagle.apk, VisorVideos.apk and x360security.apk pretending to be a fake Whatsapp security app, a fake system update, or a security app:

Marcher_AppsNames

As soon as the malware is executed, the app requests device administrator privileges to make its removal difficult and remain persistent on the infected device:

Marcher_DeviceAdmin
Once the device administrator is activated for the malicious app, it will hide the icon from the home screen. In the background, however, Android/Marcher constantly monitors the execution of specific apps to obtain sensitive information that can be used for fraudulent electronic transactions. For example, when Google Play runs on a device infected with Android/Marcher, the following overlay, asking for a credit card number, is shown to the user:

Marcher_GooglePlayOverlay

In addition to monitoring some Google apps to steal credit card numbers, recent variants monitor the execution of banking apps in Latin America. The following is an example of the overlay phishing interface that is displayed when a Colombian banking app opens:

Marcher_ColombianBanks
Brazilian banking users are also targeted by recent variants of Android/Marcher:

Marcher_BrasilianBanks
Here’s an example of phishing overlays for financial institutions in Argentina:

Marcher_ArgentinianBanks
Peru, Chile, and Mexico are also in the target list of Android/Marcher:

Marcher_PeruMexicoChile
In total this new Android/Marcher campaign has targeted 23 financial institutions in six countries in Latin America. We expect this threat will continue to increase its coverage, just as it has done in the last couple of years. To protect yourselves from this threat, make sure that you have installed security software on your Android device and avoid the download and installation of apps from unknown sources.

McAfee Mobile Security detects this threat as Android/Marcher and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

Package names of targeted financial apps

Argentina:

  • ar.com.santander.rio.mbanking
  • com.bapro.movil
  • com.bbva.nxt_argentina
  • com.mosync.app_Banco_Galicia
  • org.banelco
  • org.microemu.android.model.common.VTUserApplicationLINKMB

Brasil:

  • br.com.bb.android
  • com.itaucom.santander.app

Chile:

  • cl.santander.smartphone

Colombia:

  • co.com.bbva.mb
  • com.bancodebogota.bancamovil
  • com.grupoavalav1.bancamovil
  • com.todo1.davivienda.mobileapp
  • com.todo1.mobile
  • se.accumulate.me.core.androidclient.csb
  • se.accumulate.me.core.androidclient.occidente

Mexico:

  • com.bancomer.mbanking
  • com.citibanamex.banamexmobile
  • mx.bancosantander.supermovil

Peru:

  • com.bbva.nxt_peru
  • com.bcp.bank.bcp
  • pe.com.interbank.mobilebanking

The post Android Banking Trojan ‘Marcher’ Targets Latin America appeared first on McAfee.