German and Czech Android users are getting served with a banking Trojan directly through text messages, warns malware researcher Bart Blaze.
The message claims that the user has missed the delivery of a package by the DHL delivery service (or by the Czech Post, or by Czech-based online shop Alza), and should download a mobile app to arrange a new delivery attempt:
A direct link to the app is helpfully provided, but the “DHL Express Mobile”, “Posta Online”, or “Alza” apps that get downloaded are actually the Marcher banking trojan.
The malware asks for device administrator rights, checks for the presence of antivirus and security applications, and targets a variety of mobile apps of German and Czech banks and other financial organizations: ČSOB, Star Finanz, Deutsche Kreditbank (DKB), Commerzbank, Raiffeisenbank, and more:
The Marcher malware has been around since 2013, and its main goal is to steal mobile banking app credentials by overlaying fake forms over the screens of legitimate apps. As the malware is available as a kit for sale on dark web markets, different buyers masquerade it as different types of apps, and chose different targets and distribution methods.
Cleaning an infected device
Users who have fallen for the trick and have installed one of these fake apps will have to work to uninstall it.
“Marcher installs itself as Device Administrator, effectively making the user unable to force the process to stop or uninstall the application normally,” Blaze notes.
If you attempt to force uninstall the application, it will repeatedly pop up the device administrator prompt.
Blaze says that the best way to clean up the device is to back up your files, restore your device to factory settings or wipe it and reinstall the OS.
Afterwards, be sure to change your mobile banking passwords and to notify your bank of the incident.