{
	"id": "799a6842-a53b-4e89-8053-9c78056a6f53",
	"created_at": "2026-04-06T00:16:45.479028Z",
	"updated_at": "2026-04-10T13:11:26.510915Z",
	"deleted_at": null,
	"sha1_hash": "4df1370584da75196318e2d15420a7d6bcfb9b2b",
	"title": "Marcher Malware: Android Baking Trojan Targets Austria | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1382589,
	"plain_text": "Marcher Malware: Android Baking Trojan Targets Austria |\r\nProofpoint US\r\nBy November 03, 2017 Proofpoint Staff\r\nPublished: 2017-11-03 · Archived: 2026-04-05 20:06:57 UTC\r\nOverview\r\nCredential phishing, banking Trojans, and credit card phishing schemes are common threats that we regularly\r\nobserve both at scale and in more targeted attacks. However, Proofpoint researchers have recently observed\r\nphishing attacks that incorporate all of these elements in a single, multistep scheme involving the Marcher\r\nAndroid banking Trojan targeting customers of large Austrian banks. Attacks involving Marcher have become\r\nincreasingly sophisticated, with documented cases involving multiple attack vectors and a variety of targeted\r\nfinancial services and communication platforms [1][2]. In this case, a threat actor has been targeting customers of\r\nBank Austria, Raiffeisen Meine Bank, and Sparkasse since at least January 2017.\r\nThe attacks described here begin with a banking credential phishing scheme, followed by an attempt to trick the\r\nvictim into installing Marcher, and finally with attempts to steal credit card information by the banking Trojan\r\nitself.\r\nAnalysis\r\nMarcher is frequently distributed via SMS, but in this case, victims are presented with a link in an email.\r\nOftentimes, the emailed link is a bit.ly shortened link, used to potentially evade detection. The link leads to a\r\nphishing page that asks for banking login credentials or an account number and PIN. Figure 1 shows one such\r\nlanding page using stolen branding from Bank Austria.\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 1 of 20\n\nFigure 1: Landing page for phishing scheme asking for the victim’s signatory number and PIN using stolen\r\nbranding from Bank Austria\r\nBecause the actor delivered phishing links using the bit.ly URL shortener, we can access delivery statistics for this\r\nparticular campaign. The link resolves to a URL designed to appear legitimate, with a canonical domain of\r\nsicher97140[.]info including the “bankaustria” brand.\r\nFigure 2: Bit.ly statistics for a phishing landing page targeting Bank Austria customers\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 2 of 20\n\nThe actor appears to have recently begun using “.top” top-level domains (TLDs) for their phishing landing pages\r\nand have implemented a consistent naming structure as shown below. Earlier this year, the actor used “.pw” TLDs\r\nwhile the Bank Austria scheme highlighted above used “.info”. Some recent campaigns against other bank\r\ncustomers also used “.gdn” TLDs.\r\nOther attacks on Bank Austria customers that we observed resolved to the following .top domains:\r\nOct 23, 2017  hxxp://online.bankaustria.at.id8817062[.]top/\r\nOct 23, 2017  hxxp://online.bankaustria.at.id8817461[.]top/\r\nOct 23, 2017  hxxp://online.bankaustria.at.id8817465[.]top/\r\nOct 23, 2017  hxxp://online.bankaustria.at.id8817466[.]top/\r\nOct 23, 2017  hxxp://online.bankaustria.at.id8817469[.]top/\r\nOct 17, 2017  hxxp://online.bankaustria.at.id58712[.]top/\r\nOct 17, 2017  hxxp://online.bankaustria.at.id58717[.]top/\r\nOct 17, 2017  hxxp://online.bankaustria.at.id58729[.]top/\r\nOct 17, 2017  hxxp://online.bankaustria.at.id58729[.]top/\r\nOct 17, 2017  hxxp://online.bankaustria.at.id87721[.]top/\r\nOct 17, 2017  hxxp://online.bankaustria.at.id87726[.]top/\r\nThese permutations of TLDs and canonical domains incorporating the legitimate domain expected by the targeted\r\nbanking customers exemplifies recent trends in social engineering by threat actors. Just as threat actors may use\r\nstolen branding in their email lures to trick potential victims, they reproduce a legitimate domain name in a\r\nfraudulent domain that is not controlled by the bank.\r\nOnce the victim enters their account information on the landing page, the phishing attack then requests that the\r\nuser log in with their email address and phone number.\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 3 of 20\n\nFigure 3: Step two of the credential phish asking for the victim’s email address and phone number\r\nHaving stolen the victim’s account and personal information, the scammer introduces a social engineering\r\nscheme, informing users that they currently do not have the “Bank Austria Security App” installed on their\r\nsmartphone and must download it to proceed. Figure 4 shows the download prompt for this fake app; an English\r\ntranslation follows.\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 4 of 20\n\nFigure 4: Alert prompting the victim to download an Android banking app (English translation below), with stolen\r\nbranding and fraudulent copy\r\n***Translation***\r\nDear Customer,\r\nThe system has detected that the Bank Austria Security App is not installed on your smartphone. Due to new EU\r\nmoney laundering guidelines, the new Bank Austria security app is mandatory for all customers who have a\r\nmobile phone number in our system.\r\nPlease install the app immediately to avoid blocking your account.\r\nFollow the instructions at the bottom of this page.\r\nWhy you need the Bank Austria Security App:\r\nDue to outdated technology of the mobile network important data such as mTan SMS and online banking\r\nconnections are transmitted unencrypted.\r\nOur security app allows us to transmit this sensitive data encrypted to you, thus increasing the security that you\r\nwill not suffer any financial loss.\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 5 of 20\n\nStep 1: Download Bank Austria Security App\r\nDownload the Bank Austria security app to your Android device. To do this, open the displayed link on your\r\nmobile phone by typing in the URL field of your browser or scan the displayed QR code.\r\n***End translation***\r\nThe phishing template then presents additional instructions for installing the fake security application (Figure 5):\r\nFigure 5: Additional instructions telling the victim to give the app the requested permissions (English translation\r\nbelow), with stolen branding and fraudulent copy\r\n***Translation***\r\nStep 2: Allow installation\r\nOpen your device's settings, select Security or Applications (depending on the device), and check Unknown\r\nsources.\r\nStep 3: Run installation\r\nStart the Bank Austria security app from the notifications or your download folder, tap Install.\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 6 of 20\n\nAfter successful installation, tap Open and enable the device administrator. Finished!\r\n***End translation***\r\nReferring again to bit.ly, we can see click statistics for this campaign (Figure 6).\r\nFigure 6: bit.ly statistics for the fake Bank Austria Android app download link\r\nFrom this small sample, we see that 7% of visitors clicked through to download the application, which is actually\r\na version of the Marcher banking Trojan named “BankAustria.apk”, continuing the fraudulent use of the bank’s\r\nbranding to fool potential victims.\r\nThis sample is similar to those presented in other recent Marcher analyses [1][2].\r\nThis particular application is signed with a fake certificate:\r\nOwner:\r\nCN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown\r\nIssuer\r\nCN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown\r\nSerial: 1c9157d7\r\nValidity:\r\n11/02/2017 00:16:46\r\n03/20/2045 00:16:46\r\nMD5 Hash: A8:55:46:32:15:A9:D5:95:A9:91:C2:91:77:5D:30:F6\r\nSHA1 Hash: 32:17:E9:7E:06:FE:5D:84:BE:7C:14:0C:C6:2B:12:85:E7:03:9A:5F\r\nThe app requests extensive permissions during installation that enable a range of activities supported by the\r\nmalware. Those permission shown in bold below are the most problematic:\r\nAllows an application to write to external storage.\r\nAllows an application to read from external storage.\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 7 of 20\n\nAllows an application to use SIP service.\r\nAllows an application to collect battery statistics\r\nAllows an app to access precise location.\r\nAllows an application to receive SMS messages.\r\nAllows an application to send SMS messages.\r\nAllows an application to read SMS messages.\r\nAllows an application to write SMS messages.\r\nAllows an application to initiate a phone call without going through the Dialer user interface for the user to\r\nconfirm the call.\r\nAllows applications to access information about networks.\r\nAllows applications to open network sockets.\r\nAllows an application to read the user's contacts data.\r\nAllows an application to read or write the system settings.\r\nAllows an application to force the device to lock\r\nAllows applications to access information about Wi-Fi networks.\r\nAllows applications to change Wi-Fi connectivity state.\r\nAllows applications to change network connectivity state.\r\nAnalysis of the malware shows that it uses the common string obfuscation of character replacement (Figure 7):\r\nFigure 7: Encoded Marcher Strings\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 8 of 20\n\nFigure 8: Decoded Marcher Strings\r\nAs noted, the application requests extensive permissions during installation; Figure 9 shows the request to act as\r\ndevice administrator, a particular permission that should very rarely be granted to an app.\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 9 of 20\n\nFigure 9: Prompt for application permissions upon installation\r\nFigures 10 and 11 show the other permission screens for the app:\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 10 of 20\n\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 11 of 20\n\nFigure 10: Part 1 of the permission screen for the app\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 12 of 20\n\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 13 of 20\n\nFigure 11: Part 2 of the permission screen for the app\r\nOnce installed the app will place a legitimate looking icon on the phone’s home screen, again using branding\r\nstolen from the bank.\r\nFigure 12: Fake Bank Austria Security application icon\r\nIn addition to operating as a banking Trojan, overlaying a legitimate banking app with an indistinguishable\r\ncredential theft page, the malware also asks for credit card information from the user when they open applications\r\nsuch as the Google Play store.\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 14 of 20\n\nFigure 13: Popup asking for a credit card number\r\nThe application also supports stealing credit card verification information (Figures 14 and 15).\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 15 of 20\n\nFigure 14: Information theft via fake credit card verification using stolen branding\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 16 of 20\n\nFigure 15: Information theft via fake credit card verification using stolen branding\r\nSome of the campaigns appear to have a wider reach based on bit.ly statistics like this one from October 13, 2017:\r\nFigure 16: bit.ly statistics for an October 13, 2017 campaign\r\nOver several days during the last three months, Proofpoint researchers observed campaigns using similar\r\ntechniques targeting the banking customers of Raffeisen and Sparkasse. A review of the bit.ly statistics for these\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 17 of 20\n\ncampaigns shows that they were at least as effective in driving end-user clicks as the Bank Austria campaign\r\nanalyzed above.\r\nConclusion\r\nAs our computing increasingly crosses multiple screens, we should expect to see threats extending across mobile\r\nand desktop environments. Moreover, as we use mobile devices to access the web and phishing templates extend\r\nto mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail\r\nhere. As on the desktop, mobile users need to be wary of installing applications from outside of legitimate app\r\nstores and sources and be on the lookout for bogus banking sites that ask for more information than users would\r\nnormally provide on legitimate sites. Unusual domains, the use of URL shorteners, and solicitations that do not\r\ncome from verifiable sources are also red flags for potential phishing and malware.\r\nReferences\r\n[1] https://clientsidedetection.com/marcher.html\r\n[2] https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article\u0026id=1047\r\nIndicators of Compromise (IOCs)\r\nIOC IOC Type Description\r\n47.91.92[.]60 IP Phish Landing\r\n49.51.37[.]177 IP Phish Landing\r\n49.51.37[.]247 IP Phish Landing\r\n47.254.128[.]80 IP Phish Landing\r\n8dfc01cfed545651e3cf73437ab748dc MD5 Marcher - Analyzed Sample\r\n185.188.204[.]16 IP Marcher C\u0026C\r\nET and ETPRO Suricata/Snort Signatures\r\n2024943          Raiffeisen Phishing Domain Nov 03 2017\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 18 of 20\n\n2024944          Sparkasse Phishing Domain Nov 03 2017\r\n2024946          BankAustria Phishing Domain Nov 03 2017\r\n2024947          Successful Raiffeisen Phish Nov 03 2017\r\n2024948          Successful Sparkasse Phish Nov 03 2017\r\n2024949          Successful BankAustria Phish Nov 03 2017\r\n2024950          Android Marcher Trojan Download - Raiffeisen Bank Targeting (set)\r\n2024951          Android Marcher Trojan Download - Sparkasse Bank Targeting (set)\r\n2024952          Android Marcher Trojan Download - BankAustria Targeting (set)\r\n2024953          Android Marcher Trojan Download - Austrian Bank Targeting\r\n2828513          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI\r\n2828514          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 2\r\n2828515          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 3\r\n2828516          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 4\r\n2828517          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 5\r\n2828518          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 6\r\n2828519          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 7\r\n2828520          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 8\r\n2828521          Trojan-Banker.AndroidOS.Marcher Domain Request in SNI 9\r\n2828524          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 1\r\n2828525          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 2\r\n2828526          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 3\r\n2828527          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 4\r\n2828528          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 5\r\n2828529          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 6\r\n2828530          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 7\r\n2828531          Trojan-Banker.AndroidOS.Marcher.z DNS Lookup 8\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 19 of 20\n\nSource: https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nhttps://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
	],
	"report_names": [
		"credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434605,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4df1370584da75196318e2d15420a7d6bcfb9b2b.pdf",
		"text": "https://archive.orkl.eu/4df1370584da75196318e2d15420a7d6bcfb9b2b.txt",
		"img": "https://archive.orkl.eu/4df1370584da75196318e2d15420a7d6bcfb9b2b.jpg"
	}
}