by RSS Dario Durando, Kenny Yang, David Maciejak  |  May 17, 2017  |  Filed in: Security Research

 

 

Android malware continues to grow exponentially now that it has overtaken the top position as the most popular OS (across all platforms), making it the target of choice for malware authors. Android Marcher is an Android banker malware that has been on the FortiGuard Labs radar since late 2013. Since that time it has been seen in a number of campaigns targeting many different banks and countries. And now, Marcher has once again resurfaced with a new campaign. Over the past few months we have observed it masking itself in a variety of ways – sometimes hiding behind the icons of games, banks or popular applications to lure victims into installing it on their devices.

Samples from this family of malware show that it usually has a small footprint, keeping all of their phishing pages online, ready to be downloaded whenever the targeted application is open on the device.

After obtaining DeviceAdmin privileges, malware from the Marcher family hides itself and begins waiting. When one of the many targeted apps is opened, it hijacks the main screen and displays a phishing page obtained from a URL, usually of the form https://host/subfolder/njs2/?m=[id_of_app] (in the APPENDIX you will find the targeted apps with related ID.)  While the campaign primarily targets banking apps, it does not stop there. It also keeps track of Google Play, PayPal, messaging apps, and social media. 

Once credentials are obtained they are sent to the C&C and added to the database. Marcher is able to receive multiple commands through SMS, including but not limited to: intercept SMS, execute USSD codes, send SMS, and lock and unlock the phone. These are the main features of the Marcher family. If you are interested in a more exhaustive, in-depth analysis for the previous version, we recommend that you read this blogpost by the folks at Securify.

 

New anti-emulation feature

Marcher creators are aware of the growing attention it is attracting among the research community. To prevent this, previous Marcher versions had implemented an anti-AV check to prevent security apps from running on the device. The malware checks if a known antivirus app is running on the device (the full list is provided in the APPENDIX). If it is, it redirects the main screen to the HOME screen, as you can see in figure 1 below.

Description: F:\work\Work_From_July_2016\work_with_david\antiav_3.jpg

Figure 1: Check for installed AV apps

 

However, it seems like this was not good enough for the authors. So in the more recent versions, Marcher creators have implemented another check to reduce the effectiveness of researcher analysis. The app now also checks to see if it is running in an emulator or on a real device.

As you can see in the Figure 2, the malware checks for multiple indicators of emulation:

For example, it checks if the IMEI is a default value (000000000000000, 012345678912345, 004999010640000) or if it uses some widely known kernels for emulators (ranchu/goldfish). It also checks for the use of strings “generic”, “unknown,” or others that would suggest the use of an emulator in multiple fields of the Build object.

 

 

Figure 2: Anti-emulator code

 

This check complicates the researcher’s life because modifying these values in emulators is not extremely straightforward (it usually requires a modification of the binary file of the emulator), while code obfuscation makes spotting the routine a little bit harder.

With respect to the Marcher samples we encountered few months ago, between the end of 2016 and the beginning of 2017, the level of obfuscation has been increased even more, to the point where even method calls are disguised using getDeclaredMethod() to retrieve the wanted routine and declaredMethod.invoke() to execute it, in addition to obfuscated strings to evade static analysis. While the obfuscation method used in the old and new versions is the same, in the latest samples there are almost no clear text strings identifiable. In Figure 3 you can see the de-obfuscated strings added as comment.

 

 

Figure 3: Code obfuscation

 

Figure 4: C&C address list

At the time of writing, the C&C panel had already been taken offline. However, SfyLabs were able to get their hands on it and extract the bot list. As you can see in the chart below, roughly 3700 devices were infected, and by a large margin the two most targeted countries were France and Germany.

 

Conclusion

As usual, our advice is to be careful when you are installing applications on your device. Given the prevalence of Android-based malware, don’t blindly trust third party application marketplaces, or apps advertised via email or text message. Even if the app icon looks legit to you, you never know what could be hidden behind it. A good security practice is to always check the permissions the app requires and only allow those that are strictly necessary.

Detection

Fortinet detects this malware with the signature Android/SpyBanker.IS!tr, and detects the older versions of Marcher with the signature Android/Banker.IH!tr.spy.

FortiGuard Labs will follow up on this and keep you updated on this and other android banking malware.

 

-= FortiGuard Lion Team =-

 

APPENDIX

IOC

Package name: etcqlnzwauf.hflivryhdnjb

Hash: 6f5835c921d5e1616e3d0a871c8d88e6bb8f3b67fb14cbc3ac345126b6b2365b

Package name: snqtu.cgbsbdjj

Hash: c20318ac7331110e13206cdea2e7e2d1a7f3b250004c256b49a83cc1aa02d233

Package name: gnpwibfapfjtdr.orvcpqiilijrbih

Hash: 9d1b630f017d1975aca8d0be51f8720918c0382e2edd58a9bfdb7243d5869f6d

Package name: fvxqpwsunfbvkesmd.xydmpw

Hash: 980a7ea0250aea85d7a986a9d2035d0a127e861da18107d10a50532643732f2d

ANTIVIRUS APPS CHECKED

com.symantec.mobilesecurity
com.avast.android.mobilesecurity
com.duapps.antivirus
com.nqmobile.antivirus20
com.netqin.antivirus
com.antivirus.tablet
com.qihoo.security
com.thegoldengoodapps.phone_cleaning_virus_free.cleaner.booster
avg.antivirus
com.cleanmaster.boost
droiddudes.best.anitvirus
com.referplish.VirusRemovalForAndroid
com.drweb
com.trustlook.antivirus
com.antivirus
com.dianxinos.optimizer.duplay
com.avira.android
com.cleanmaster.mguard_x8
com.anhlt.antiviruspro
com.womboidsystems.antivirus.security.android
com.qihoo.security.lite
com.zrgiu.antivirus
com.cleanmaster.mguard
com.bitdefender.antivirus
com.ikarus.mobile.security
com.psafe.msuite
oem.antivirus
com.cleanmaster.security
com.sonyericsson.mtp.extension.factoryreset
com.eset.ems.gp
com.piriform.ccleaner
com.nqmobile.antivirus20.clarobr
com.kms.free
com.cleanmaster.sdk
com.eset.ems2.gp

BANKS APPS TARGETED

com.isis_papyrus.raiffeisen_pay_eyewdg, id=10
com.ykb.androidtablet, id=121
de.ing_diba.kontostand, id=67
de.consorsbank, id=14
com.bapro.movil, id=39
at.bawag.mbanking, id=1
com.ykb.android, id=122
de.dkb.portalapp, id=15
se.accumulate.me.core.androidclient.csb, id=54
com.intertech.mobilemoneytransfer.activity, id=116
com.garanti.cepbank, id=110
com.garanti.cepsubesi, id=112
com.rbs.mobile.android.natwest, id=24
de.postbank.finanzassistent, id=17
tr.com.sekerbilisim.mbank, id=118
com.mosync.app_Banco_Galicia, id=46
org.banelco, id=51
de.comdirect.android, id=12
pe.com.interbank.mobilebanking, id=53
com.santander.app, id=47
ar.com.santander.rio.mbanking, id=33
cl.santander.smartphone, id=35
mx.bancosantander.supermovil, id=50
com.tmob.denizbank, id=117
br.com.bb.android, id=34
com.vakifbank.mobile, id=119
com.grppl.android.shell.BOS, id=20
com.ykb.android.mobilonay, id=120
com.bancomer.mbanking, id=38
org.microemu.android.model.common.VTUserApplicationLINKMB, id=52
com.bcp.bank.bcp, id=42
com.starfinanz.smob.android.sfinanzstatus, id=11
com.ingbanktr.ingmobil, id=114
at.volksbank.volksbankmobile, id=4
com.akbank.softotp, id=107
com.tmobtech.halkbank, id=113
at.easybank.mbanking, id=2
uk.co.tsb.mobilebank, id=28
com.starfinanz.smob.android.sbanking, id=70
com.akbank.android.apps.akbank_direkt_tablet, id=124
com.rbs.mobile.android.rbs, id=25
com.finansbank.mobile.cepsube, id=109
com.rbs.mobile.android.ubr, id=26
com.htsu.hsbcpersonalbanking, id=23
com.bbva.nxt_argentina, id=40
com.bankaustria.android.olb, id=5
com.grupoavalav1.bancamovil, id=44
com.itau, id=45
de.commerzbanking.mobil, id=13
com.citibanamex.banamexmobile, id=43
com.akbank.android.apps.akbank_direkt, id=106
at.spardat.netbanking, id=3
co.com.bbva.mb, id=36
com.starfinanz.mobile.android.dkbpushtan, id=69
de.fiducia.smartphone.android.banking.vr, id=16
com.todo1.davivienda.mobileapp, id=48
com.barclays.android.barclaysmobilebanking, id=19
com.grppl.android.shell.CMBlloydsTSB73, id=21
se.accumulate.me.core.androidclient.occidente, id=55
com.bancodebogota.bancamovil, id=37
com.teb, id=108
biz.mobinex.android.apps.cep_sifrematik, id=111
com.pozitron.iscep, id=115
com.grppl.android.shell.halifax, id=22
com.ing.diba.mbbr2, id=9
com.db.mm.deutschebank, id=8
mobile.santander.de, id=18
com.ziraat.ziraatmobil, id=123
de.adesso.mobile.android.gadfints, id=68
uk.co.santander.santanderUK, id=27
com.todo1.mobile, id=49
com.bbva.nxt_peru, id=4
com.cic_prod.bad id=87

CC

hxxps:[/][/]easymanage.at[/]HISHEATWANT[/]

hxxps:[/][/]theponyclub.at[/]HISHEATWANT[/]

hxxps:[/][/]selltheworld.at[/]HISHEATWANT[/]

hxxps:[/][/]chucknorris.at[/]addproblemanima[/]

hxxps:[/][/]l33tchuck.at[/]addproblemanima[/]

hxxps:[/][/]chucksfactory.at[/]addproblemanima[/]

hxxps:[/][/]engesappies.at[/]addproblemanima[/]

hxxps:[/][/]android-service.at[/]iosys[/]

hxxps:[/][/]android-service.email[/]iosys[/]

hxxps:[/][/]android-service.info[/]iosys[/]

hxxps:[/][/]autohauss.at[/]iosys[/]

hxxps:[/][/]gooleplay.at[/]iosys[/]

hxxps:[/][/]internetservicees.at[/]iosys[/]

hxxps:[/][/]internetservicees.at[/]iosys[/]

hxxps:[/][/]internetservicees.be[/]iosys[/]

hxxps:[/][/]internetservicees.ch[/]iosys[/]

hxxps:[/][/]music-streams.at[/]iosys[/]

hxxps:[/][/]exofisty.at[/]jadafire[/]

hxxps:[/][/]fisttheexo.at[/]jadafire[/]

hxxps:[/][/]soldatenccarmy.at[/]jadafire[/]

hxxps:[/][/]soldatenccarmygoldenshower.at[/]jadafire[/]

hxxps:[/][/]soldatenccarmythegaynation.at[/]jadafire[/]

hxxps:[/][/]clouddream.at[/]hairyass[/]

hxxps:[/][/]tripletribe.at[/]hairyass[/]

hxxps:[[/][/]]beachmusiclisting.at[/]hairyass[/]

 

by RSS Dario Durando, Kenny Yang, David Maciejak  |  May 17, 2017  |  Filed in: Security Research