{
	"id": "d2504b8d-e428-488a-a7d0-395c8ace0201",
	"created_at": "2026-04-06T00:12:25.2822Z",
	"updated_at": "2026-04-10T03:30:33.840829Z",
	"deleted_at": null,
	"sha1_hash": "0b8f5d031a80b84445cdd5dc57d3faa639538e3a",
	"title": "Android Marcher: Continuously Evolving Mobile Malware | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1644314,
	"plain_text": "Android Marcher: Continuously Evolving Mobile Malware |\r\nZscaler\r\nBy Viral Gandhi\r\nPublished: 2016-08-10 · Archived: 2026-04-02 11:06:35 UTC\r\nFounded in 2013, the Android Marcher mobile malware has widely been targeting Google Play -- harvesting user\r\ncredentials and credit card data. The malware waits for victims to open the Google Play store and then displays a\r\nfake html overlay page asking for credit card information. The fake page will not go away until the user provides\r\nthe payment information.\r\nIn March 2014, we noticed newer variants targeting financial organizations in Germany. Upon infection, Marcher\r\nwould inspect the victim’s device and send a list of all installed apps to its command and control (C\u0026C) server. If\r\nthe malware found any German financial apps installed in the device, it would show a fake page asking for\r\ncredentials of that particular institution. Unaware that the login page is a fake, the victim would provide their\r\ncredentials where they would then be sent to the malware’s C\u0026C. The malware would also show a fake Google\r\nPlay payment page if the infected device did not have any German financial firm apps. We covered one such\r\nsample in a previous blog, see here .\r\nMarcher then started targeting financial firms in Australia, France, Turkey and The United States. Some Marcher\r\nsamples were observed targeting PayPal as well.\r\nRecently, Marcher added United Kingdom to its hit list, as seen by TrendMicro.\r\nPreviously, Marcher was distributed through fake Amazon and Google Play store apps. We’ve also seen it\r\ndelivered through a fake porn site that posed as a Chrome update. This month, we observed another new change in\r\nthe Marcher malware campaign where it is being delivered as a fake Android firmware update. We discovered the\r\npayload dropped as “Firmware_Update.apk”. An HTML page serving this malware scares the victim by showing\r\nthat the device is vulnerable to viruses and to prevent personal data theft, prompting them to install the fake\r\nupdate.\r\n                                                       \r\n                                                         Fake update page\r\nhttps://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware\r\nPage 1 of 5\n\nTo perform its malicious activity upon installation, Marcher will ask for administrative access.\r\nIn 2013, Marcher was only targeting Russian mobile users; however, in the recent samples the author implemented\r\nchecks to find out if the infected device is from CIS/SIG. It will stop its activity if the device belongs to CIS/SIG\r\nterritory. Generally, the malware author does this check to avoid any legal cases from its own territory. Such\r\nchecks indicate that the malware may have been authored and maintained from CIS/SIG countries. See the\r\nfollowing screenshot.\r\n                                                           \r\n                                                           CIS/SIG countries check\r\nAnother change in this newer variants is implementation of simple obfuscation by the malware author using\r\nbase64 encoding and string replace functions. In older samples, we did not see this obfuscation. See the following\r\nscreenshot.\r\nhttps://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware\r\nPage 2 of 5\n\nSimple obfuscation techniques\r\nIn older Marcher samples we saw that the malware will only show fake a Google Play store credential page if the\r\nuser opens the Play store app. In recent samples, the malware author implemented checks for multiple well-known\r\napps and shows fake credential page if user opens any of these apps. Following are the apps listed in the code and\r\nshown in above screen encoded in base64.\r\nPlaystore (com.android.vending)    \r\nViber app (com.viber.voip)\r\nWhatsapp (com.whatsapp)    \r\nSkype     (com.skype.raider)\r\nFacebook messenger (com.facebook.orca)\r\nFacebook (com.facebook.katana)\r\nInstagram (com.instagram.android)\r\nChrome (com.android.chrome)\r\nTwitter (com.twitter.android)    \r\nGmail (com.google.android.gm)    \r\nUC Browser (com.UCMobile.intl)\r\nLine (jp.naver.line.android)\r\nWe have also seen changes related to C\u0026C communication. In older samples the Marcher was communicating on\r\nsimple http protocol. Now it does C\u0026C communication over SSL. Observe following screen captures.\r\nhttps://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware\r\nPage 3 of 5\n\nC\u0026C \r\n                                                       \r\n                                                       C\u0026C over SSL\r\nWe are seeing numerous infection attempts in our cloud for this malware family. These frequent changes clearly\r\nindicate active malware development that is constantly evolving -- making it the most prevalent threat to the\r\nAndroid devices.\r\nTo avoid being  a victim of such malware, it is always best to download apps only from trusted app stores, such as\r\nGoogle Play. This can be enforced by unchecking the \"Unknown Sources\" option under the \"Security\" settings of\r\nyour device.\r\nhttps://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware\r\nPage 4 of 5\n\nZscaler ThreatLabZ is actively monitoring this malware and ensuring that Zscaler customers are protected.\r\nWeitere Zscaler-Blogs erkunden\r\nSource: https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware\r\nhttps://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware"
	],
	"report_names": [
		"android-marcher-continuously-evolving-mobile-malware"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434345,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b8f5d031a80b84445cdd5dc57d3faa639538e3a.pdf",
		"text": "https://archive.orkl.eu/0b8f5d031a80b84445cdd5dc57d3faa639538e3a.txt",
		"img": "https://archive.orkl.eu/0b8f5d031a80b84445cdd5dc57d3faa639538e3a.jpg"
	}
}