• Welcome to Free PC Help, a free PC Help forum to get help with your computer problems.

    Free PC Help is a community that offers free computer help and support for all users, all ages, worldwide.

    In order to start asking questions or contribute on someone else's post you will first need to register. Don't worry - it's quick and easy and once you have registered you will have instant access to the entire forum.

    If you do decide to join the forums you will not have the option to send Private Messages [ PMs ] or add a Signature until you have made 5 posts or more. This is an attempt to try to stop Spammers using the PM system or adding links to their Signature.

Marcher Android Trojan Can Steal Logins from Facebook, WhatsApp, Skype, Gmail

  • Thread starter
  • Admin
  • #1


Admin & Security Team
Feb 19, 2010
Midlands, UK
PC Experience
Very Experienced
Many other popular Android apps targeted as well

The Android trojan known as Marcher has received an update which now allows it show fake login screens and steal credentials for various popular Android apps.

Android Marcher appeared on the mobile malware scene in 2013 and initially had the capability of showing a fake screen on top of the Google Play Store app whenever the user started that application.

This screen asked the user to enter his credit card details, which the malware collected and sent to a C&C server.

Later in 2014, the crooks added the ability to phish for banking credentials, mostly from financial institutions in Australia, France, Germany, Turkey and the US.

Marcher update expands targeting capabilities

An update detected by mobile security firm Zscaler has revealed that in recent weeks, the trojan has added more items on its target list.

This time around the trojan's creators focused on popular Android apps instead of banking applications.

Marcher can now collect login credentials by showing a fake login screen whenever the user starts one of these apps: WhatsApp, Viber, Skype, Facebook, Facebook Messenger, Instagram, Twitter, Gmail, Line, UC Browser, Chrome, and the Play Store.

As most malware these days, the stolen data is sent to an online server under the crook's control.
While previously this data was transmitted in cleartext via HTTP, recent Marcher versions send it encrypted via an SSL-protected channel.

Infections occur via fake Android security updates

This most recent Marcher version reaches Android devices via fake app stores, but Zscaler has also detected crooks using non-official Google domains to spread the malware packed as a fake Android firmware security update.

In the past, the Marcher crew used to pack the trojan as Adobe Flash Player updates (which Android devices don't need or support), and via SMS and email spam.

"These frequent changes clearly indicate active malware development that is constantly evolving -- making it the most prevalent threat to the Android devices," says Zscaler's Viral Gandhi.

Users should not install applications from outside the Play Store, even if the Play Store itself has been plagued with malware.
The chances of getting infected with malware are much lower via Play Store apps.

Rogue website delivering Android security update infected with Marcher

Top Bottom