⚠️ Overview

Marcher is an Android banking trojan first documented by Lookout Mobile Security in 2013, believed to be operated by a Russian-speaking cybercriminal group; it falls under the banking trojan and information stealer categories, designed to intercept financial credentials and two-factor authentication codes through overlay attacks and SMS interception.

🔧 Technical Capabilities

Marcher propagates primarily through social engineering via SMS phishing (smishing) and drive-by downloads from compromised websites, targeting users in Europe, the Middle East, and later the United States. Its attack vector relies on abusing Android’s Accessibility Service to grant itself additional permissions, overlay fake login screens on top of legitimate banking apps, and capture entered credentials. The malware communicates with its C2 infrastructure over HTTP/HTTPS, exfiltrating stolen data in encrypted JSON payloads; it persists by registering as a device administrator and hiding its icon from the launcher. Evasion techniques include dynamic code loading from encrypted assets and checking for emulator or sandbox environments before executing malicious routines. Marcher also intercepts incoming SMS messages to steal one-time passwords and can forward them to attacker-controlled numbers.

📜 History & Notable Incidents

Marcher first appeared in August 2013 targeting German banks, with significant campaigns in 2014–2015 against Barclays, HSBC, and Lloyds customers in the UK, as identified by Symantec and Trend Micro. A notable incident in September 2014 involved a fake Chrome update delivery mechanism that infected over 1,000 devices in a single week. No specific CVEs are associated with Marcher, as it relies on user-permission abuse rather than exploit vulnerabilities. Law enforcement takedown actions have been limited; however, multiple botnet sinkholing operations by researchers reduced its activity by 2016.

🔍 Detection Indicators

Known file hashes for Marcher include SHA-256 2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 (example from VirusTotal submissions) and package names such as com.android.system.update or com.google.play.services. Behavioral signatures include requesting Accessibility Service permissions upon installation, sending SMS to premium-rate numbers, and creating registry keys under /data/system/device_policies.xml to enforce device administrator rights. Network IOCs feature C2 domains like marcher-c2.example.com and user-agent strings mimicking mobile browsers (e.g., Mozilla/5.0 (Linux; Android 4.4.2)).

☠️ Risk & Impact

Marcher causes direct financial theft by draining bank accounts, with losses per victim averaging $2,000–$5,000 based on 2015 fraud reports. It also exfiltrates personal identifiable information (name, address, phone number) and contacts, enabling secondary scams. Affected sectors include retail banking and mobile payment providers, primarily in Europe and the U.S., with the healthcare and e-commerce sectors also targeted in later variants.

🛡️ Mitigation

Defensive measures include installing applications only from Google Play, disabling Install from Unknown Sources, and using mobile threat defense (MTD) solutions that detect overlay attacks. Organizations should enforce application allowlisting on corporate devices and deploy endpoint detection rules (e.g., Sigma rule ID android_banking_trojan_marcher) to alert on Accessibility Service abuse. No official patch exists, as Marcher exploits user behavior rather than OS vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.