Marcher is an evolving Android-based banking Trojan, changing in scope and capabilities since first seen in 2013. Spreading through phishing emails and websites, it prompts the victim to download “security updates” from third party app stores. It has also been found to spread through malicious apps on the Google Play Store itself.

Using social engineering, this malware lures victims to access their bank accounts through fake text notifications that reference unexpected transactions. Once the user enters their login credentials, the stolen data is tested then sent to the criminal’s Command and Control server.

Because the malware has administrative control over the device, it can hinder several popular mobile security applications and bypass two-factor authentication that a user set up with their banks.

To generate even more revenue, criminals can have the infected device secretly call and message premium toll numbers they own.

Lately, Marcher has been seen targeting both banking credentials and credit card information through overlays on Google Play, Facebook, Skype, and Instagram applications.

ThreatSTOP customers are protected from Marcher if they have TS Crit targets enabled in their policies.