A variant of the Marcher banking trojan is targeting Android users by masquerading as a mobile Adobe Flash Player app.
This version of the malware arrives via popcash[dot]net, an advertising network which is known to serve “popunder” ads that display behind a main browser window so that the user sees them when they try to exit.
The ads drop malware payloads that pose as Adobe Flash Player. If a user clicks on the dropper URL, they see a message warning them that their Flash Player is out of date.
The dropper also loads the malware “Adobe_Flash_2016.apk” onto the user’s device, a program which then guides the user to disable security features and allow app installations from unknown sources.
Successful installation prompts the malware to conceal its icon from the home screen, to register the infected device with its command-and-control (C&C) server, and to send important information about the infected device including a list of installed apps to its server.
Zscaler’s Viral Gandhi explains what happens next:
“After a few sleep cycles, the malware waits for the user to open an app from its targeted list. We found that this variant is capable of targeting over 40 financial apps. When the user opens any of the targeted apps, the malware will quickly overlay a fake login page, which lures the victim into supplying user credentials.”
Marcher’s C&C hosts these pages remotely, which allows attackers to update a fake login page whenever necessary.
This isn’t the first time Marcher has taken on a disguise to fool unsuspecting Android users. Neither is it the only Android malware to pose as Flash Player, software which Adobe hasn’t made available on Google’s mobile operating system since 2012.
With that said, if you see Adobe Flash Player for Android, know that it’s a fake and steer clear of it.
At the same time, make sure you only download apps from approved developers on Google’s Play Store. Don’t download apps from elsewhere, and certainly don’t let a suspicious program coerce you into allowing app installations from unknown sources.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.