Android banking Trojan called Marcher has been managed by single botnet to steal significant number of payment cards. Marcher monitors the applications launched by the victim, and when one of the targeted apps is detected, an overlay screen is displayed in an effort to trick the user into handing over sensitive information. Researcher analysed that majority of the infected android device version is 6.0.1 and around hundreds of 7.0 version. Different types of popular apps such as WhatsApp, Super Mario Run and Netflix contain this kind of malware.
“Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground. This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory),” Securify researchers explained.
Securify has identified nine Marcher botnets over the last 6 months and each of them has been provided with new modules and targeted web injects by the Trojan’s creators. One of these botnets, which mainly targets the customers of banks in Germany, Austria and France, has infected more than 11,000 devices, including 5.700 in Germany and 2,200 in France. The attackers’ C&C server stored 1,300 payment card numbers and other banking information.