The Marcher mobile bot has added nine UK banks to its list of targets, according to researchers at IBM X-Force Research.
Originating from Russian underground forums, it first appeared in the wild in 2013, targeting users accessing the Google Play store to steal credit card details. In 2014, it began targeting banks and since then has steadily widened its scope to take in targets in Germany, Austria, France, Australia and Turkey.
Marcher uses a fake screen overlay to trick users into entering their bank details. The level of customisation for each bank is described as highly sophisticated by Limor Kessem, executive security advisor at IBM.
“Carefully matching each bank's look and feel, Marcher adapts its fake overlay screens to the organizations it targets. The adaptation is most likely programmed by the original malware developer for an extra fee. However, overlay screens are not complicated to make and can be created by outsourced black-hat developers or the malicious operators,” she wrote.
Users of Marcher, who can purchase it from the developer on the dark web, trigger an attack by sending an SMS to the target informing them that they have received a money transfer. When a curious user attempts to log into their account, Marcher triggers the overlay which intercepts the banking credentials.
The developers have built quality control into the app. Before it sends the credentials to the attacker's command and control server, it tests them, only forwarding them if it gets a positive result.
Marcher can also hijack SMS messages and selectively forward phone calls from the device – enabling the attackers to intercept the primary authentication methods. It can also initiate calls to premium rate numbers.
Marcher comes hardcoded with overlays for a number of popular banking brands, which can spoof the app and the mobile website, but it can also download overlays for other banks as needed.
It can also disable eight popular antivirus apps while continuing to send spoof messages that appear to come from the AV to reassure the user that they are still protected.
Writing in January, PhishLabs said about Marcher: “It's fairly polished and successful as a tool used by cybercriminals to facilitate account takeover. However, there are certain code artifacts and network indicators that can be used to identify the mobile malware and initiate takedown of hosting infrastructure.”