Cloud computing security provider Zscaler has warned of a new Android Marcher malware attack. The warning came from Viral Ghandi in a blog on the Zscaler site. The malware is tricking Android users by pretending to be the Super Mario Run game. This is not the first time Android Marcher has hidden behind a fake game screen.
Nintendo has decided to release Super Mario Run on Apple iOS first. This has created a lot of demand from Android users for their own version of the game. Hackers have exploited that demand in the same way they exploited the demand for Pokémon Go last year. They simply put out fake links to the game and when users download the files it installed Android Marcher.
A wide range of banking and finance apps attacked
The malware targets all the financial apps on a users’ device. When they use them they are presented with a fake login screen that captures their details. In the Zscaler blog, Ghandi lists the finance apps the malware targets. It includes the Android apps from banks such as Société Générale, BNP Paribas, RBS, NatWest, Halifax, HSBC, TSB and Santander. All data gathered is sent back to a Command and Control (C&C) server where it is harvested and shared.
It is not just the banking apps that are targeted. Users accessing the Google Play store are presented with a lock screen which requires their credit card details. Ghandi reports that fortunately for those already infected, the credit card C&C links appear to be broken at the moment.
Users making it too easy by giving up excess permissions
What makes it easy for the malware to succeed is the misuse of permissions when installed. Apps and games on mobile devices often demand excessive permissions in order to run. For example a birthday app that demands access to contacts, video, photos and the right to post as the user.
In this case Android Archer specifically seeks administrative rights over the device. This allows it to access call and SMS history, make calls and send SMS without the user knowing as well as modify system settings. In doing so it would be easy for the malware owners to install other malware on the device. The most obvious of these would be a payload that includes ransomware.
Could this have been prevented?
Prevented – No. Mitigated – yes. Hackers exploiting user demand for an app or game is nothing new and is unlikely to ever go away. Is it reasonable for Nintendo to have recognised the risk to users by launching Super Mario Run on Apple iOS without giving an Android date? The answer to that is yes, especially given it saw a similar scenario play out with Pokémon Go. It could perhaps have mitigated the attack by giving an Android launch date but that would not have stopped this attack.
There is also a question over user behaviour here. Hackers love to target the weak link and gamers desperate for something they “must have” are always an easy target. Users are all too willing to download apps and games from unofficial sites despite all the warnings. Many do so to get it first while an even larger group do it to avoid paying for an app or a game.
There are also improvements from an OS perspective. Apps and games downloaded from outside an official store are hard to control. App and games using official stores should be limited in the excessive permissions they require. This is something that app stores have failed at and something that needs addressing.
Conclusion
As with all attacks on mobile devices there is an enterprise risk here. Those devices will end up inside the enterprise and the malware will be shared between users. If that user has access to the company bank accounts or uses a company credit card there is a potential loss to the business. IT departments need to ensure that in a world of Bring Your Own Device (BYOD) they enforce separation between user apps and business apps on devices. This can be through the use of sandboxes or virtualisation.
