Marcher is a banking Trojan that has been targeting Android devices since at least 2013. Over the years, this malware has evolved significantly, incorporating new capabilities that make it a persistent and dangerous threat. Its primary function is to steal sensitive banking and financial information by overlaying legitimate applications with fraudulent phishing screens. This allows cybercriminals to capture login credentials, credit card information, and other personal data.
Threat Summary
| Attribute | Details |
|---|---|
| Name | Marcher malware |
| Threat Type | Android malware, banking Trojan, malicious application |
| Detection Names | Avast-Mobile (APK:RepMalware [Trj]), ESET-NOD32 (Multiple Detections), Fortinet (Android/Agent.FRJ!tr), Ikarus (Trojan-Dropper.AndroidOS.Agent), Kaspersky (HEUR:Trojan-Dropper.AndroidOS.Hqwar.df) |
| Symptoms of Infection | Device running slow, modified system settings without permission, appearance of questionable applications, increased data and battery usage |
| Damage | Stolen personal information (logins, passwords, messages), decreased device performance, rapid battery drainage, reduced internet speed, financial losses, identity theft |
| Distribution Methods | Fake updates, infected email attachments, malicious online ads, social engineering, deceptive applications, scam websites |
| Danger Level | High |
Remove
Marcher Malware: A Banking Trojan Targeting Android Devices
With SpyHunter
Marcher Malware Overview
Marcher is a highly sophisticated banking Trojan that primarily targets Android users. Once installed, the malware requests extensive permissions, including device administrator rights, which allow it to modify system settings and ensure persistence.
One of the core functionalities of Marcher is its ability to overlay legitimate applications with fraudulent phishing pages. This technique enables cybercriminals to steal login credentials, payment details, and other sensitive data. Marcher has been observed impersonating popular banking apps and financial services, tricking users into entering their information into malicious forms.
Beyond credential theft, Marcher is capable of intercepting SMS messages, allowing attackers to capture one-time passwords (OTPs) and two-factor authentication (2FA) codes. This greatly increases the likelihood of unauthorized access to banking and financial accounts.
Additionally, Marcher can:
- Prevent the device from going to sleep
- Modify and delete files from external storage
- Collect information about Wi-Fi networks and device location
- Read, send, and delete SMS messages
- Make phone calls without user interaction
These capabilities make Marcher one of the most dangerous Android malware strains, with the potential to cause severe financial and privacy-related damages.
How to Remove Marcher Malware (Manual Removal Guide)
Step 1: Boot the Device into Safe Mode
Since Marcher may prevent uninstallation in normal mode, it is crucial to boot the device into Safe Mode.
- Press and hold the power button.
- Tap and hold the “Power Off” option.
- When prompted, select “Reboot to Safe Mode.”
- Wait for the device to restart in Safe Mode (you should see “Safe Mode” at the bottom left corner).
Step 2: Revoke Device Administrator Privileges
- Open Settings.
- Navigate to Security > Device Administrators.
- Look for any suspicious apps with administrator privileges.
- Select the malicious app and tap Deactivate.
Step 3: Uninstall Suspicious Apps
- Go to Settings > Apps & Notifications > App Manager.
- Look for applications that you did not install or those that request excessive permissions.
- Tap on the suspicious app and select Uninstall.
Step 4: Clear Cache and Data from Affected Apps
- Open Settings > Apps & Notifications > App Manager.
- Select the infected app.
- Tap on Storage & Cache.
- Choose Clear Cache and Clear Data.
Step 5: Reset Browser Settings
- Open your browser settings.
- Go to Privacy & Security.
- Select Clear Browsing Data.
- Choose Cookies and Site Data and Cached Images and Files.
- Tap Clear Data.
Step 6: Restart Your Device
After completing the steps above, restart your device normally to verify that the malware has been removed.
Preventive Measures to Avoid Marcher Malware
To prevent Marcher and similar banking Trojans from infecting your device, follow these security best practices:
Download Apps Only from Trusted Sources
- Avoid third-party app stores.
- Download apps only from the Google Play Store.
- Check app reviews and developer information before installing.
Keep Your Device Updated
- Regularly update your Android OS and applications.
- Security patches help fix vulnerabilities that malware exploits.
Disable Unknown Sources
- Go to Settings > Security.
- Ensure that “Install from Unknown Sources” is turned off.
Be Cautious of Email Attachments and Links
- Do not open email attachments from unknown senders.
- Avoid clicking on suspicious links in emails or text messages.
Enable Two-Factor Authentication (2FA)
- Use an authenticator app instead of SMS-based authentication.
- This prevents attackers from stealing OTPs via intercepted SMS messages.
Monitor App Permissions
- Regularly review app permissions.
- If an app requests excessive permissions, uninstall it.
Use a Secure Wi-Fi Connection
- Avoid connecting to public Wi-Fi networks.
- If necessary, use a VPN for secure browsing.
Regularly Backup Your Data
- Store backups on external storage or a cloud service.
- This ensures that you can restore your device if malware compromises your data.
Conclusion
Marcher is a highly dangerous banking Trojan that continues to evolve and target Android users worldwide. By disguising itself as legitimate applications, it can steal banking credentials, financial details, and personal information. The malware’s ability to intercept SMS messages, manipulate system settings, and perform overlay attacks makes it a severe threat to user security and privacy.
Following the manual removal guide provided above and implementing strong security practices will help protect your device from infections like Marcher. Always stay vigilant and avoid installing suspicious applications to keep your data safe.
