Marcher Banking Trojan Uses Overlays to Gather Login Credentials

What is Marcher Banking Trojan Uses Overlays to Gather Login Credentials?

The Marcher banking Trojan is not a new threat. In fact, you might have heard of this infection in one way or another throughout the years because it has been around since at least 2013. Obviously, it has not stayed the same. In fact, it has changed quite a bit, and there are now numerous different versions of this threat that we could talk about. In this report, however, we take a look at the whole picture. Obviously, if you suspect that this malware might have invaded your Android device, it is crucial that you delete it immediately. However, we hope that you read this before the invasion, so that you could take appropriate security measures first. If you are interested, please continue reading.

How does Marcher banking Trojan spread?

The cyber attackers behind Marcher banking Trojan did not stick to one method of distribution throughout all of these years, and that is something that can be expected. After all, if the attackers stayed stagnant, and if their methods did not evolve, their attacks would not have been successful anymore. Unfortunately, they have been successful. In fact, according to ZDNet, by the end of 2017, Marcher had over 20,000 recorded victims, and this number must have grown since then. In the beginning, this malware exploited Google Play to invade vulnerable Android devices. Google Play, to this date, is the most popular and respected app platform for Android users. Cybercriminals know this well, and that is why they continue to inject malicious apps into it even today. Marcher too was concealed behind apps that looked legitimate and harmless. In fact, the attackers used well-known gaming, bank, and entertainment apps to hide itself. Once the victim was tricked into downloading the app, the Trojan was loaded.

When the Marcher attackers exhausted the possibilities provided by Google Play, they moved on to porn sites and phishing scams. According to malware experts at EasySol, malicious ads were created and placed on porn sites to trick victims into executing malware unknowingly. When it comes to phishing scams, SMS/MMS messages were used. It is hard to say what other security backdoors and cracks the attackers could use, but we know very well that cybercriminals should never be underestimated.

How does Marcher work inside an Android device?

Different versions of Marcher acted differently throughout the years, but we know what the basic functionality of this malware is. Perhaps the most dangerous feature of this malware is its ability to overlay apps’ login screens. This means that whenever the Trojan detects that the victim opens a banking app or any app that requests to enter login credentials, it can create an overlay that allows the attackers to gather any information that is entered. To add insult to injury, if a two-factor authentication code is requested via SMS, the Marcher Trojan can read it and then hijack your account. Needless to say, if remote attackers gain access to your banking account, they could clean it out. Even if they hijack your email or social networking accounts, they could, for example, steal your identity and use your name to spread malware further. Besides this, the Trojan should be able to employ SOCKS 5 to route packets between the device and the remote server, mess with the device’s sound, and also lock it at random times.

How to secure Android devices against Marcher?

Prevention is the key to virtual security. If you do not want your security jeopardized and your identity stolen, you need to do whatever it takes to keep malicious threats away. When it comes to Marcher, you need to stay away from suspicious ads, phishing scams, and, of course, unreliable apps. Unfortunately, it is not always easy to identify malicious apps because reviews and ratings can lie. Also, the apps might take on the names, logos, and other features of well-known, popular apps. At the end of the day, you have to take care of your virtual security, and if you do not want to face malicious threats, you need to be mindful. It is also a good idea to employ security apps that could increase your virtual security. If you wish to continue discussing the threat, please post your comments and questions in the form below.


Palmer, D. November 6, 2017. Android security triple-whammy: New attack combines phishing, malware, and data theft. ZDNet.
Porras, E. August 17, 2017. Marcher Trojan Isn't Going Away. It's Getting Smarter. Cyxtera. 100% FREE spyware scan and
tested removal of Marcher Banking Trojan Uses Overlays to Gather Login Credentials*


Leave a Comment

Enter the numbers in the box to the right *