According to X-Force intelligence, Marcher first appeared in the wild in late 2013. It is known to be a commercial offering sold in Russian-speaking underground forums by its supposed developer or distribution accomplices.
In the first year of its activity, Marcher did not target banks; initially, it was only used by its various operators to steal credit card information from infected victims. To do so, a phishing overlay screen was triggered when users accessed the Google Play app store, plastering a fake window on top of the app store’s activity to request users’ credit card number, expiration date and CVV2 code. In 2014, Marcher began targeting banks, starting with a large bank in Germany, PhishLabs reported.