Weekly Executive Summary Week Ending February, 17 2017

By Joseph Lorenz on February 17, 2017

Marcher Android Banking Trojan

What is it? Android Banking Trojan

What is it dubbed as? Marcher

What does it do?

The banking trojan uses two main attack vectors to capture user credentials and credit card information through phishing and overlay attacks.

First, it will try and take advantage of out-of-band authentication which is used by many banks through SMS messages. Out-of-band authentication is a form of multi-factor authentication used by many financial institutions to make it more difficult for malicious actors to take advantage of banking applications. When a customer wants to make a banking transaction, a text message or phone call is sent to their mobile number which the financial institution has on file.

The banking trojan will then attempt its overlay attack if certain conditions are met. There is a target list of specific bank ‘fake login pages’ that reside on a command and control(C2) server. The malware can check which application is currently running in the foreground using AndroidProcesses library, and if the application running matches a fake login page on the C2 server the trojan will show the phishing overlay to capture user credentials. A user will think they are using their normal banking application though when they submit, the malware will send the information back to the C2 server.

The overlays can be used for other financial transactions as well, like purchases on Google Play Store, FaceBook, etc. where credit card information can be stored locally in the device and sent to the Command and Control server backend.

Android devices do not need to be rooted to be susceptible to these attacks, as attackers are taking advantage of legitimate functions that exist in Android.

How does it do it?

The marcher trojan requests for a large list of privileges, which can be very dangerous when used in conjunction. Being able to read and write to SMS messages can be used in attacks to avoid out-of-bound authentication or to spoof it. And android.permission.INTERNET is a crucial part of the attackers process, as it is used for the screen overlays and to send captured credentials and credit card information.
Screenshot of Android Permissions

Marcher uses ‘AndroidProcesses’  which is a small Android library used to get the current running processes on an Android device. This allows the malware to know what processes are running in the foreground, the trojan will then check if the running application matches any overlays in its command and control servers. If a match is found from the C2 server and the foreground application, the malware will push its phishing overlay to the foreground, making the user believe their legitimate app has started. This library can get a list of running applications and doesn’t require any special permissions.

Screenshot of Android Array of processes

A custom WebView is used when a targeted application is detected to place a phishing page on the device, this is done through Asynchronous JavaScript and XML(Ajax) calls that communicate with a PHP backend which stores user information. Securify has posted a full list of Targeted banking apps and other targeted applications that are used to obtain credit card information.

Screenshot of WebView Code

The banking Trojan also uses AV evasion techniques to stay anonymous to Antivirus that is running on the Android device. The AndroidProcesses library can be used to get a list of processes running, these running applications can than be compared to a list of Android Antivirus services like CCleaner, Booster Cleaner, Norton Security and Antivirus, and many more(a full list of targeted antivirus apps are posted on securify).

If one of the AV’s are detected the malware will push the user back to the home screen before they can accept the removal of the Trojan from the antivirus service. This allows the malware to avoid removal by security applications.

Permissions were requested in the AndroidManifest.xml for SMS and MMS messages so the malware can collect SMS messages from the infected device and send them back to the C2 server. These SMS messages can be used to avoid Out-of-bound authentication, as this is the main method financial institutions use in multi-factor authentication of customers.

The first time the malware runs the application will ask for administrative rights from the user, even if the application process is killed the request screen will reappear. Once permission is granted the malware has the ability to lock and mute the infected device, reset the devices password, and apply a permanent phishing WebView. This technique is very similar to ransomware, the main difference is the data on the device isn’t encrypted but the user can be locked out of the rest of the device.

Adnroid Screenshot of Device Admin Permissions

Botnets were discovered on the C2 servers that are mainly targeting banks in Germany, France, the UK, and the United States. The Command and Control server not only collects phished credit card and user credentials, but also International Mobile Equipment Identity(IMEI), phone number, IP address, carrier name, SMS messages, contact phone numbers, and installed packages from an infected device. Hosting phishing screen overlays on the C2 servers makes these attacks more dynamic as malicious actors can update the list of targets remotely without having to change the malware itself.  

According to Securify, the source code of the Marcher C2 server shows that it has implemented a SOCKS feature for the bots. This feature can be used to avoid detection from financial institutions as Out-of-bound authentication can rely on binding the IP address of the customer’s Android device.  

Conclusion:

Becoming infected by this type of malware could be extremely dangerous as the malware initially doesn’t need any special permissions, just the ability to use the Internet in the Android device. And it uses libraries and classes that already exist in Android, and it isn’t exploiting any vulnerabilities and can affect numerous Android devices.

The Trojan is dynamic and can quickly update phishing overlays and has the ability to add new targeted applications remotely through its C2 servers. Developers and contributors of the malware seem to be fueled by financial gain, as the key targets are various banking applications, and the methods used to avoid detection from financial institutions.

Users should avoid downloading third-party applications outside of the Google Play store and from Unknown Sources. Even when  downloading from the Play Store users should read ‘Reviews’ left by other users to check the validity of the application. When installing new applications users should be vigilant of what permissions are being requested, a long list of permissions requested or an app requesting permissions that don’t seem essential for the application are red flags.

Sources:

https://www.securify.nl/blog/SFY20170202/marcher___android_banking_trojan_on_the_rise.html

(Securify)

Tags: , , ,

Related Posts