Don't get infected by Marcher malware targeting Android devices | ACMA


10 December, 2015 01:54 PM


Don't get infected by Marcher malware targeting Android devices

By Editor


Australians are increasingly being targeted by cybercriminals through different communications platforms. The current spate of Marcher malicious software (malware) infections initiated through SMS communications highlights why internet users need to be vigilant whenever they’re accessing the internet. In the last 90 days we’ve seen Marcher malware infections in the top five most common infections reported through our Australian Internet Security Initiative (AISI).

As more Australians perform internet banking and other financial transactions on their mobile devices they are increasingly becoming a target for cybercriminals. These cybercriminals are developing and using malware developed specifically to run on these devices, with Marcher an example of malware targeting Android devices. Marcher is able to manipulate banking applications on Android devices by substituting fields in these applications with its own fields, thereby stealing the user’s banking credentials.

The method used by Marcher to infect Australian Android devices appears to be very effective. Initially a user will receive an SMS that contains text similar or equivalent to the following:

You have unread incoming MMS message. To view the message please install Adobe Flash Player, click the link to continue: [link]

If the recipient follows the link they will be directed to a website that enables the installation of Marcher malware rather than the ‘Adobe Flash’ application. At first the approach used by the cybercriminals behind Marcher was to provide no guidance to users about how to install the ‘application’. As most Android devices have default settings designed to prevent installation of applications from non-trusted sources, we suspect that the number of Marcher malware installations by Australian users may have been less than hoped for by the cybercriminals.

We noticed, however, that the cybercriminals have changed their method for installing Marcher. SMS message reports sent to us reveal that the link in the SMS was changed to direct users to an ‘instructions’ webpage, providing guidance on the settings to deploy to install the malicious ‘Adobe Flash’ player application. The page provides professionally presented images of the changes required to the settings that enables the installation of Marcher that are only too easy to follow. Changing these settings to enable installation of applications from untrusted sources also potentially leaves these devices vulnerable to the installation of other Android malware.

We have direct evidence of the method being deployed by the cybercriminals behind Marcher, thanks to Australian consumers who have received these SMS messages making reports to 0429 999 888—our SMS spam reporting number. These reports have also enabled us to assess how the methodology used to install Marcher is changing over time.

Just as is the case with email communications, we recommend:

>        that you don’t open SMS from unknown or suspicious sources

>        never follow hyperlinks contained in these messages

>        only install Android applications from trusted sources, such as Google Play.

Any application that encourages you to bypass the default security options within Android should be viewed as potentially malicious or harmful.

We encourage Australian consumers to forward suspicious or spam SMS messages to the ACMA on 0429 999 888.

Statistics on the malware reports made through the AISI are available on our website.

Note: Adobe discontinued the Flash Player ‘plug-in’ application for mobile browsers on Android devices in August 2012.