February 26, 2018

5 Year Old Banking Trojan/Malware As a Service Booming

BancaMarStealer, also known as Marcher, is a malware family designed to phish a victim's banking (or other service) credentials. It was first spotted nearly five years ago, but today, the malware family has never been stronger. In fact, the number of samples have nearly quadrupled.

In February 2018, Lookout researchers have observed nearly 7,700 samples in the wild as compared to 2,000 in May 2016. These samples are targeting victims in Australia, Austria, France, Germany, Poland, Turkey, the United Kingdom, and the United States.

How it works

BancaMarStealer is delivered via SMS messages prompting users to download an app. One sample also appeared briefly in Google Play in early 2017.

Once installed and a victim opens a targeted app or visits a website of interest to the attacker, BancaMarStealer lures victims into unknowingly entering their credentials by displaying legitimate-looking overlays that are carefully designed to imitate the login portal of a victim's bank or other targeted service. The developers behind BancaMarStealer adopted a Malware-­as-­a-­Service business model where cybercriminals can purchase the toolkit from them and then highly customize it. It can be configured to target specific banks, communicate to certain command and control servers, and it supports a wide range of remote commands.

BancaMarStealer overlays
BancaMarStealer overlays that convincingly imitate login protals of major financial institutions.

BancaMarStealer is also capable of creating overlays for generic applications that are not banking specific. To this end, samples have been analyzed that contain functionality to create overlays for apps like Amazon, Facebook, Google Play, Skype, Twitter, Uber, and Whatsapp.

BancaMarStealer overlays - retail
BancaMarStealer overlays that convincingly imitate login protals of major apps and retailers.

BancaMarStealer's capabilities have evolved

Over the years, new versions of this malware family have continually evolved to the point where it is now one of the most robust banking trojans we've seen, capable of intercepting banking information but also able to provide an adversary with significant control over a victim's device.

Current samples are highly customizable and can be configured to have:

  1. Attacker-specified command and control settings
  2. A remotely updateable list of available overlays
  3. Comprehensive remote control functionality

BancaMarStealer's remote capability allows an adversary to carry out a host of operations on a target device, including remotely:

  1. Changing command and control IP addresses
  2. Specifying further applications or websites to target
  3. Silently calling attacker specified numbers
  4. Sending spam to a victim's contacts
  5. Factory resetting the device
  6. Locking the device
  7. Retrieving all SMSes

None of the BancaMarStealer samples analyzed required root capabilities.

Encryption and infrastructure

Since its creation, BancaMarStealer samples have utilized HTTP for communications. This means the malware sends stolen sensitive personal information unencrypted over the network. Analysis of network traffic from an infected device shows that information such as any entered credentials, a victim's IMEI, phone number and telecommunications provider, package names of installed applications, and the device model are all posted to attacker infrastructure. A third party, who may intercept traffic to or from an infected device, would be able to easily capture this information. Furthermore, by modifying responses from command and control servers, a third party could gain significant control over the victim's device, instructing it to do a factory reset, forward all its calls to a certain number, or upload a victim's SMSes. Alternatively, this actor could use its position on the network to hijack an attacker's control over an infected device by modifying responses from command and control (C2) servers to include new instructions that cause devices to communicate to new infrastructure.

Command and control servers have been geolocated to numerous countries around the world however a majority were found to be hosted in Russia, the United States and Germany.

Combatting a powerful and growing adversary

Leveraging data from Lookout's sensor network of over 150 million mobile devices worldwide, Lookout analyzed 30,000 mobile devices with one or more major banking app installed. The mobile threat histories of these devices during a one-year study showed that ten percent of mobile banking customers encountered a mobile threat or risk.

App developers are likely to be more concerned about user experience and optimizing functionality than building in security measures to protect against mobile threats. Developers might focus on making sure there are no vulnerabilities in the app code, but often they don't consider the security of the device itself. A breach of customer credentials or data leads to a series of negative consequences for financial services firms, including loss in revenue from fraud, or as customers opt to no longer do business with the firm; erosion in brand equity due to negative publicity; and financial penalties due to non-compliance with regulations.


Michael Flossman

Head of Threat Intelligence

Michael is Head of Threat Intelligence at Lookout where he works on reverse engineering sophisticated mobile threats while tracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in vulnerability research, incident response, security assessments, pen-testing, reverse engineering and the prototyping of automated analysis solutions. When not analysing malware there’s a good chance he’s off snowboarding, diving, or looking for flaws in popular mobile apps.

Entry Type
Threat Summary
Threat Type
Threat Type
Platform(s) Affected
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.