Marcher: An Android Trojan That Keeps Coming Back

It has been six years since the first version of a Trojan called Marcher has been spotted. Over the years, the hackers kept upgrading it, and new variants were released. The latest version showed up in 2017. It is difficult to say if it could still be active as its creators could be working on a variant. While the earliest versions were used to steal information from Google Play users, the newer variants got more sophisticated and allowed hackers to obtain financial information. Further, in this report, we talk about the main functions that all of the Marcher versions have as well as the changes brought by the new variants. Before we begin, we should stress that this Trojan is targeted at Android users, which is why we highly recommend reading our article for users who have Android phones or other Android devices.

The first thing we would like to explain is how Marcher might be spread. According to cybersecurity experts, the Trojan used to be spread through phishing messages sent to targeted victims' devices or via malicious advertisements spread through websites with pornographic content or other harmful sites. Moreover, it appears hackers behind the malware were also employing spoofing attacks during which the targeted users were redirected to fake banking applications or login websites, fake sites of not-yet-released mobile/computer games, and so on. In other words, victims of Marcher were usually tricked into launching its installer as well as giving up their sensitive information. In order to avoid such threats, it is vital to stay away from unreliable websites and be careful with messages or emails that are received unexpectedly, especially if they ask to provide sensitive information, download files, or visit other websites.

Next, we would like to talk about main Marcher’s functionality and improvements provided by its newer versions. Most of its variants have abilities like executing remote commands, sending USSD commands, sending SMS messages, locking an infected device, enabling or disabling a device’s sound, and even intercepting SMS messages. The ability to view victims' messages is probably one of the most dangerous properties of this Trojan as it could allow intercept verification codes. Meaning, it is likely that with such ability, hackers could bypass Two-Factor Authentication. Experts who followed the malicious application’s changes from the start noticed that each new version received improvements that could allow the malware to protect itself from detection better. So far, researchers have identified three new releases that appeared between 2013 and 2017. Apparently, it took three years to create the first improved version as it showed up in 2016. The other two variants were noticed in 2017. In one of them, hackers employed the SSL protocol that allowed them to encrypt communication between the Trojan and its server to hide such traffic.

Since it took time to create the first updated version, we believe the hackers behind Marcher could be taking their time again and might come back with another new variant in the future. However, the functionality of the latest version might be enough to cause a lot of trouble for Android users, especially for users who might still use old operating systems. Therefore, we recommend using newer Android versions that have more safety features. Also, as said earlier, it is best to keep away from malicious sites and not to interact with advertisements or messages received unexpectedly or coming from doubtful sources. Plus, researchers recommend using reputable antimalware tools that could guard your system against threats like Marcher.

What’s more, this malicious application was noticed to be used in attacks on various organizations in the past. For institutions that use Android devices and could be targeted by this malware’s developers, we advise educating their employees so they would know how to protect themselves from getting tricked into installing it. Of course, it is also recommendable to employ robust security tools that could guard an organization’s systems and prevent Marcher from getting in.

Lastly, we wish to stress that Marcher is not a threat you can erase manually. It is a sophisticated infection, and removing it manually could be extremely difficult. Therefore, if you suspect this malicious application could be on your device, we highly recommend using a legitimate antimalware tool to eliminate it. We can also offer our comments section located at the end of this page if you have any questions about this Trojan.