Just a few hours after Adobe released an emergency, out-of-band patch to fix a critical vulnerability in Flash, thetrouble magnet is back in the news. Adobe Flash Player is putting users at serious risk, as its exploits are used not only to take control of your machines, but also to get you in some massive financial troubles. This time, it's not entirely its fault though. Earlier this week an Android banking trojan was discovered which was fooling users into installing a fake Adobe Flash version, with the goal of serving phishing web pages stealing users'banking credentials.

Another trojan dubbed as Android Marcher uses the same technique, previously focusing on massive SMS and email spam campaigns, the trojan has now evolved. Marcher is a 3-year old trojan that has erupted again in the interwebs, this time targeting Android users visiting porn sites.

Android Marcher uses porn sites tosteal user's financial info

Porn sites have long been used to serve malware and Marcher does the same by prompting site visitors to install a malware-infected payload, appearing as an Adobe Flash installer package. If Flash wasn'tdoingenough itself to send tons of malware our way, criminal hackers have found another way to monetize unwitting visitors into downloading fake copies of Flash.

The primary goal again is to steal financial information from the user through a fake Google Play store payment page.Zscalerreported:

[...] a new wave of Marcher Trojan that is active since past one month where the malware arrives as an adobe flash installer package. We have captured over 50 unique payloads from this campaign. Majority of these Marcher payloads are from pornographic sites serving fake adobe flash player for watching porn. The primary goal of this malware is still the same - display a fake Google Play store payment page and steal financial information from the user.

First generated in 2013, Marcher trojan has evolved into a sophisticated Android malware that is now aware of a user device's application profile. "This is the first wave where we have seen Marcher variants leveraging a combination of porn lure and [a phony] Adobe FlashPlayer update," Zscaleradded.

How does Android Marcher work...

When an Android user visits a porn site, the trojan presents a popup to install theAndroid versionof Adobe Flash in order to watch the video. Since Google Play Store doesn't offer Flash (discontinued) anymore, the site offers users to directly download and install it. Once the user is tricked into downloading a fake Adobe Flash copy on their devices, they are asked for admin privileges to complete the installation process.

Getting full control of the victim's Android phone, the app starts communicating with its command and control server, sending identification data from the user's device. The latest phishing campaignuses 50 different versions of Android Marcher. Most of theseare packed with phishing pages acting to be the Google Play store, asking the user for theircredit card information to finish the Flash Player installation process.

Not only this, but it also looks for any banking apps downloaded on the user's device. And, if it has the support for the bank, it will overlay its own fake pageover the official banking app, stealing login credentials. "The user banking credential information is relayed back to the C&C server in plain text," security researchers explained.

Researchers said that the following 16 banksare targeted with custom-made phishing pages via Android Marcher:

BankSA - Bank of South AustraliaCommerzbankCommonwealth Bank of Australia - NetBank appDeutsche PostbankDKB - Deutsche KreditbankDZ BankDeutsche BankFiducia & GAD ITING DirectLa Banque PostaleMendonsNAB - National Australia BankPayPalSantander BankWestpacWellStar billpay app

To stay safe, make sure toonlydownload applications from trusted sources like Google Play store and avoid clicking on any pop-ups that demand you to download apps and give admin privileges. Also, try to stop using Flash - fake or real.

For those interested, technical details of Android Marcher trojan can be accessedat Zscaler.