The past months many different banking Trojans for the Android platform have received media attention. One of these, called Marcher, seems to be especially active with different samples appearing on a daily basis. This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6, which has technical improvements compared to the previous Android versions to prevent such attacks.
The main infection vector is a phishing attack using SMS/MMS. The social engineering message includes a link that leads to a fake version of a popular app, using names like Runtastic, WhatsApp or Netflix. On installation, the app requests the user to provide SMS storage access and high Android privileges such as Device Admin. Other infection vectors include pornographic websites serving apps called Adobe Flash or YouPorn.