Marcher¶
Marcher is an Android banking trojan active from 2013 to approximately 2018, recognized as one of the earliest families to use overlay attacks for credential theft at scale. First targeting German banking apps, Marcher expanded to Australia, France, Turkey, and the United States. The trojan was sold on underground forums as a toolkit, enabling multiple independent operators to run campaigns with customized overlay templates. Marcher helped establish the overlay injection pattern (monitoring foreground apps via accessibility, triggering WebView-based phishing screens) that became the dominant technique in subsequent families like Anubis, Cerberus, and Hydra.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | Late 2013 |
| Status | Inactive (last significant campaigns ~2018) |
| Type | Banking trojan |
| Aliases | Marchcaban, Trojan-Banker.AndroidOS.Marcher |
| Attribution | Russian-speaking actors (multiple operators via toolkit sales) |
| Distribution | SMS phishing, fake Google Play pages, fake firmware updates |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | Trojan-Banker.AndroidOS.Marcher |
| ESET | Android/Spy.Banker.FP (Marcher) |
| McAfee | Android/Marcher |
| ThreatFabric | Marcher |
| Proofpoint | Marcher |
Origin and Lineage¶
Marcher first appeared in late 2013 targeting German banking customers. ThreatFabric tracked its evolution from initial versions that displayed simple fake Google Play payment pages to later variants using full overlay injection with per-bank phishing templates.
The malware was sold as a toolkit on Russian-speaking underground forums. This distribution model meant multiple independent operators ran simultaneous Marcher campaigns with different target lists and regional focus, making it one of the earliest Android banking trojan-as-a-service operations predating the formal MaaS model that later families like Cerberus and Octo would commercialize.
Proofpoint documented extensive Marcher campaigns targeting Austrian banking customers in 2017, showing how the toolkit model enabled rapid geographic expansion as new operators purchased the kit and configured their own bank target lists.
Distribution¶
| Period | Vector | Details |
|---|---|---|
| 2013-2015 | Fake Google Play | SMS with links to fake Play Store pages prompting APK download |
| 2016 | Fake firmware updates | Phishing pages claiming a device firmware update is required |
| 2016-2017 | Credential phishing combo | Two-phase attack: email phishing for online banking credentials, then SMS delivering Marcher for 2FA interception |
| 2017-2018 | SMS phishing | Direct SMS links to malicious APK downloads, impersonating banks and postal services |
Proofpoint's analysis of Austrian campaigns documented a sophisticated two-phase approach: operators first sent phishing emails to steal online banking credentials through a fake bank website, then sent an SMS to the same victim with a link to install Marcher disguised as a security app, capturing the 2FA codes needed to complete fraudulent transactions.
Capabilities¶
| Capability | Implementation |
|---|---|
| Overlay attacks | WebView-based phishing screens triggered when target banking apps open |
| SMS interception | Reads, sends, and hides incoming SMS for OTP theft |
| Device info collection | IMEI, model, OS version, installed apps |
| Credit card phishing | Fake Google Play payment page requesting credit card details |
| Contact harvesting | Exfiltrates the victim's address book |
| Lock screen overlay | Persistent overlay demanding credit card entry on device unlock |
Overlay Attack Evolution¶
Marcher's overlay implementation evolved across versions:
- Early versions (2013-2014): Displayed a generic fake Google Play payment page requesting credit card information whenever the user opened the Play Store
- Mid versions (2015-2016): Added per-bank overlay templates, detecting specific banking apps and displaying matching phishing screens
- Late versions (2017-2018): Full WebView-based injection system with templates downloaded from C2, supporting dynamic updates without APK modifications
This evolution from static credit card phishing to dynamic per-app overlays established the pattern that modern banking trojans still follow.
Technical Details¶
C2 Communication¶
Marcher communicates with its C2 server over HTTP(S). The implant registers with the C2 on first launch, sending device information and receiving configuration data including the target app list and overlay template URLs.
| Component | Details |
|---|---|
| Protocol | HTTP(S) |
| Registration | Device fingerprint sent on first launch |
| Overlay delivery | Templates downloaded from C2 as HTML/JS packages |
| SMS relay | Intercepted SMS forwarded to C2 in real-time |
Target Detection¶
Marcher monitors the foreground application using accessibility services (later versions) or getRunningTasks (earlier versions, deprecated in Android 5.1). When a target banking app is detected in the foreground, Marcher displays the corresponding overlay phishing screen on top of it. The overlay captures credentials entered by the victim and transmits them to the C2 server.
Target Regions¶
| Period | Primary Targets |
|---|---|
| 2013-2014 | Germany |
| 2015 | Germany, France |
| 2016 | Australia, UK, Turkey |
| 2017 | Austria, Australia, US, France |
| 2018 | Declining activity, superseded by newer families |
Marcher's geographic expansion tracked with the toolkit's sales on underground forums. Each new regional campaign typically appeared when a new operator purchased the kit and configured it with local banking app targets.
Notable Campaigns¶
Late 2013: Marcher first observed targeting German banking customers with fake Google Play payment pages.
2016: Major campaigns targeting Australian banks. Securify researchers documented Marcher intercepting the launch of Australian banking apps to display overlay phishing screens, marking the transition from generic credit card theft to targeted banking credential harvesting.
2017: Proofpoint publishes analysis of a two-phase Austrian campaign combining desktop phishing with Marcher for mobile 2FA interception.
2018: Marcher activity declines as operators migrate to newer families with more advanced capabilities. Anubis, Hydra, and later Cerberus offer more sophisticated overlay engines, better anti-analysis, and accessibility-based remote control that Marcher lacked.
Related Families¶
Marcher belongs to the first generation of Android overlay banking trojans alongside Svpeng (2013) and BankBot (2014). Together, these families established the overlay attack paradigm that dominates Android banking malware to this day.
The second generation, Anubis (2017), Hydra (2018), and Cerberus (2019), built on Marcher's overlay model while adding accessibility-based remote control, VNC streaming, and more sophisticated anti-analysis. The toolkit distribution model that Marcher pioneered evolved into the formal MaaS operations that Cerberus, Octo, and Hook later commercialized.