The Android banker Marcher continues to evolve

The Android banker malware - Marcher has been active since late 2013. It started as a stealer for Google Play credentials and credit card data but its goals and targets have shifted over time. SonicWall Threats Research team observed an instance of Marcher with a new notification screen on an infected device which shows signs of a potential new component to its functionality.

Refresher on Android Marcher

As stated earlier, Marcher has been active since late 2013 and has been part of a number of campaigns in different countries. Marcher continues to evolve from the days of its inception, below are few additions that have been observed over the years:

• Started off as a Google Play credentials and Credit Card data stealer
• Added the functionality to steal banking credentials by showing a fake login screen
• Initially targeted German banks but later on banks from France and Australia were also targeted
• Apart from spam and rogue SMS messages recently Marcher started spreading via porn websites
• Along with banks few Marcher strains targeted popular Android apps like Whatsapp, Viber and Facebook
• Amidst the popularity of Mario Run, it masqueraded as the Mario Run app for Android

Infection Cycle

The permissions requested by marcher have been more or less the same:

• write_settings
• get_tasks
• access_network_state
• uses_policy_force_lock
• change_network_state
• write_sms
• call_phone
• system_alert_window
• internet
• send_sms
• vibrate
• access_wifi_state
• change_wifi_state
• receive_boot_completed
• wake_lock
• read_contacts
• read_sms
• read_phone_state
• receive_sms

Once installed and executed the app vanishes from the app drawer but there are three services which keep running in the background on the infected device:

• FDService
• GPService
• PermissionsService

These services perform the following activities:

• Request for Administrator access once the app is executed
  
• Monitor the device and ensure that few hardcoded security apps are not running on the device, the following apps were monitored for the sample we analyzed:

• CM Security Master App Lock - com.cleanmaster.security
• Clean Master - Antivirus - com.cleanmaster.mguard
• CCleaner - com.piriform.ccleaner
• CM Speed Booster - com.cleanmaster.boost
• Anti-virus Dr.Web Light - com.drweb
• 360 Security - Antivirus Boost - com.qihoo.security
• Kaspersky Antivirus & Security - com.kms.free
• Mobile Security & Antivirus - com.eset.ems2.gp
• 360 Security Lite - com.qihoo.security.lite
• Norton Security and Antivirus - com.symantec.mobilesecurity
• DU Speed Booster & Cleaner - com.dianxinos.optimizer.duplay
• Display fake Google password screen and credit card screen to steal data from the victim, this component did not work for the sample we analyzed
• Download fake login screen whenever a targeted banking app is executed. This feature did not work as well as the domain hosting these fake pages - rittar.com/ppcas82 - appears to be offline at the time of writing this blog
  

There are few receivers in the app which constantly monitor for few key events, once these events occur a specific action is performed. Most of the behavior is similar to older Marcher apps apart from one specific action:

• The event of boot completion (android.intent.action.BOOT_COMPLETED) is monitored by com.constre.BootReceiver. This service ensures that upon every boot the three main services mentioned above are started, thereby ensuring malicious parts of the app are started as soon as the device boots up
  
• The event of receiving an SMS (android.provider.Telephony.SMS_RECEIVED) is monitored by com.constre.SmsReceiver_ receiver. This malware is capable of executing commands that it receives via SMS messages
  
• The event of enabling and disabling device administrator privileges (android.app.action.ACTION_DEVICE_ADMIN_DISABLE_REQUESTED and android.app.action.DEVICE_ADMIN_ENABLED, android.app.action.DEVICE_ADMIN_DISABLED) is monitored by com.constre.AdminReceiver. This receiver ensures that device admin piviledges are provided to the app at all times, if we try to disable the device admin privileges from the settings we see something new for Marcher.

  We are shown a screen which says that disabling the device admin privileges will lead to a phone reset. Phone reset or factory reset essentially wipes all the apps installed by the user, in other words it puts the phone back to 'factory' state i.e. just like when the user got the new device. If we click on 'ok' we see an additional screen stating that "System applications could not be removed":
  

Device Admin and Marcher

Traditionally Android marcher samples have requested for device admin privileges. One of the main reasons malware request for this permission is to make it difficult for victims to remove the app from the device as the uninstall button gets greyed out in the settings. This new instance of Marcher takes this up a notch by threatening the victim that the phone will be reset to factory setting if the device admin rights are revoked. This forces the victim to think twice before uninstalling the app.

Revoking the admin rights does not reset the device in this case as it is just a bluff. However the screen which requests for admin rights keeps popping up thereby making it extremely annoying to use the device. Upon examination we saw an xml file named device_admin_new.xml which contains the strings that are seen in the screen mentioned above. Most of the older Marcher samples do not have this file, they just have the file named device_admin.xml

We said "most of the older" samples in the statement above as we did find few old samples with the same file device_admin_new.xml, however we did not see the same screen when we tried to remove the device administrator rights:

• com.inggn (cc333988a21bf08a7b2a92daffe8a64e) has device_admin_new.xml but does not work as it does in the latest sample. We just see an overlay screen that asks for credit card details as soon as the malware is executed leaving us unable to do anything else
• com.construct (ecae04f1367902abc89d3e1e5e6d360a) also has device_admin_new.xml but we were easily able to revoke the admin rights without seeing any additional screen

It looks like this feature was planned but never implemented till now, the worrying bit is the content displayed which states that the phone would be reset to factory state. It is possible that in the near future we see Marcher samples that are actually capable of resetting the device. Currently Marcher is know for stealing user sensitive data from an infected device but the capability of resetting a device will add a destructive force to Marcher.

SonicWall provides protection against multiple variants of this threat via the signatures below:

• GAV: AndroidOS.Marcher.DAN (Trojan)
• GAV: AndroidOS.Marcher.ADMR (Trojan)

Marcher with new device rese
t related screen:

• com.constre - 898557907598665a203b50f833abc26c

Marcher samples that have device_admin_new.xml but do not show the same behavior:

• com.inggn - cc333988a21bf08a7b2a92daffe8a64e
• com.construct - ecae04f1367902abc89d3e1e5e6d360a

The following banks are targeted in the analyzed app:

• Commonwealth bank of Australia - com.commbank.netbank
• Westpac Mobile Banking - org.westpac.bank
• St.George Mobile Banking - org.stgeorge.bank
• BankSA Mobile Banking - org.banksa.bank