New firmware update? No, it’s the devious Marcher Android trojan up to no good

Android-based malware comes with new tricks, bells, and whistles.

David bisson
David Bisson

New firmware update? Nope... it's the Marcher Android trojan up to no good

The Marcher trojan has come up with a new way to infect Android users: pose as a fake firmware update.

Researchers at security firm Zscaler explain this version of the malware is being distributed as “Firmware_Update.apk”:

“An HTML page serving this malware scares the victim by showing that the device is vulnerable to viruses and to prevent personal data theft, prompting them to install the fake update.”

The message, which pretends to come from Google, attempts to frighten Android users into believing that their smartphone or tablet is already infected by malware, and that personal information may be accessible to other internet users.


Your phone is insecure!

Your Android device has 3 critical issues and is vulnerable to viruses.

Some of your photos, chat messages and account passwords may have become visible to others on the internet.

To prevent further data leaks please download firmware update.

Upon installation, the Marcher malware asks for administrative access.

The malware needs those privileges to check for banking and payment apps as well as other well-known services installed on the victim’s device, including Facebook, WhatsApp, Instagram, Gmail, and others. If the user opens any of those apps, Marcher will see it coming, overlay a fake login page, and wait for them to enter in their credentials.

Sign up to our free newsletter.
Security news, advice, and tips.

Deepen Desai, director of security research at Zscaler, told SCMagazine there’s not much worse than malware masquerading as a security update:

“We have seen PC malware posing as security updates or a malware clean-up utility in the past. With the growing security concerns around mobile malware, this distribution is an attempt to lure users into downloading fake mobile firmware updates to infect their device. There’s a bit of irony here too – users think they are downloading an update to protect their device, when in fact it’s actually a malicious application designed to cause harm.

It just goes to show how far this trojan has come.


First detected in 2013, Marcher began by targeting Android users’ credentials and credit card information on the Google Play Store. From there, it assumed the guise of banking malware and set its sights on financial organizations in Germany.

Marcher eventually expanded its scope to organizations in Australia, France, Turkey, the United States, and most recently the United Kingdom, using emails, URLs, spoofed login pages, fake Adobe Flash Player updates, and malicious apps available on the Google Play Store (like X-Video) to infect a target’s device.

Aside from adopting a new method of distribution, this latest version of the malware employs code obfuscation, communicates with its command-and-control server via SSL, and implements checks to verify whether the victim is located in Russia, Belarus, or other CIS/SIG countries.


Is Marcher as prolific as Hummer? No. Is it as powerful as Godless? No.

Even so, these ongoing updates make Marcher a force to be reckoned with, as Zcaler’s researchers note:

“We are seeing numerous infection attempts in our cloud for this malware family. These frequent changes clearly indicate active malware development that is constantly evolving – making it the most prevalent threat to the Android devices.”

To protect themselves against this newest iteration of Marcher, Android users should download applications only from trusted developers on the Google Play Store and consider installing an anti-virus solution onto their devices.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “New firmware update? No, it’s the devious Marcher Android trojan up to no good”

  1. tsearles

    i woke up to my phone being frozen on a page that says Firmware update DO NOT UNPLUG usb connection until process is complete! Now the phone is just frozen on that page\screen

  2. Timothy boone

    Me too.what is it.

  3. J Kubitz

    Explicitly stating how to get rid of it might be the right thing to do. Why not do that?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.