As ZDNet reports, the campaign was uncovered by researchers at Proofpoint Security. Its creators have been running it for at least 10 months, aiming to compromise the bank accounts of Bank Austria, Raiffeisen Meine Bank and Sparkasse.
Fake apps
The attack is usually distributed by a text message. This commences a multi-step procedure that includes phishing, credential theft and banking components. The Marcher Android banking Trojan is used to compromise financial service platforms and convince users to hand over their details.
People who visit the link sent in the text or email are sent to a fake Bank Austria webpage. They’re asked to enter their details, including contact information. This is used for the next stage when the attackers send an email with instructions to install a “Bank Austria Security App” to a mobile device. It’s claimed Bank Austria have made this a mandatory installation and will block the account if it’s not downloaded.
Collecting card details
At this point, the Marcher Trojan is installed onto the Android device. It masquerades as a legitimate Bank Austria product, using the firm’s branding and providing credible-looking app icons for the home screen. Attentive users will notice it demands a wide variety of permissions, including precise location access and the ability to read SMS messages.
The Trojan is capable of directly stealing credit card details by requesting information when certain apps are launched. It listens for apps such as the Google Play Store and displays a fake credit card information prompt. When the user enters their details, the attackers are handed everything they need to make payments using the card.
20,000 victims
According to Proofpoint, nearly 20,000 people may have engaged with the campaign. Similar attacks have been observed against Meine Bank and Sparkasse customers. The researchers said the campaign demonstrates the increasing sophistication of Marcher-based malware, a Trojan which has been around since 2013.
READ NEXT: Microsoft to triple cloud capacity in China as demand grows
“Proofpoint researchers have recently observed phishing attacks that incorporate [several] elements in a single, multistep scheme involving the Marcher Android banking Trojan targeting customers of large Austrian banks,” said Proofpoint Security. “Attacks involving Marcher have become increasingly sophisticated, with documented cases involving multiple attack vectors and a variety of targeted financial services and communication platforms.”
Web users should remain sceptical of unverified emails and text messages purporting to be from reputable companies. Care should also be taken when installing new apps, particularly those that request permissions that seem to be unrelated to their functionality. “Extensive” permission demands could be a sign that an app has nefarious intentions.
