Malicious programs of this family request administrator rights and then make themselves invisible in the list of installed apps. This malware can intercept the user’s personal data, such as SMS messages, MMS messages, and USSD requests. The program can redirect incoming calls to the phone numbers of cybercriminals. Phone numbers, the texts of the messages to be intercepted, and cybercriminal phone numbers for redirecting calls are downloaded from the command-and-control server.
Programs of this family interfere with bank apps, such as the Commerzbank app or Google Play. When the user tries to open one of these legitimate apps, the malware replaces the genuine app window with a phishing window that asks for banking information. The user’s stolen data is sent to the cybercriminals.
Geographical distribution of attacks by the Trojan-Banker.AndroidOS.Marcher family
Geographical distribution of attacks during the period from 24 July 2014 to 27 July 2015
Top 10 countries with most attacked users (% of total attacks)
* Percentage of all unique Kaspersky Lab users attacked by this malware