A complex banking Trojan has received another method of deceiving users of the mobile operating system Android. The latest version of the malicious application Marcher poses as an update to Adobe Flash Player. For the first time this application was found on Russian-language forms in late 2013, then the program posed as a security update for the mobile game Super Mario and a number of other applications.

A new version of the Trojan was discovered by Zscaler Threadlabz specialists, now a new distribution technique. In particular, the content of pornographic content and links are used popular mobile games. All downloads come from third-party sites, not from the official Google Play Store store.

At start we use the message that the version of Flash Player is outdated and you need an update. If you believe and click on the download updates, there is an infection. Marcher even offers a step-by-step guide to disabling security settings that limit installation of applications by the Google Play Store.

After installation, the malicious program is hidden and removes its icon from the menu, the device is registered on the command server. Information about the device is collected, including a list of installed applications.

Then the program waits for the launch of one of a number of applications, and then displays its fake page for stealing logins and passwords. Such programs may include banking applications, e-mail clients, and. For example, there are fake pages for applications Citybank, TD Bank, PayPal, Gmail, Facebook, Walmart, Amazon, Western Union and others. The list of applications is written in the code Marcher, but the appearance of counterfeit pages can be changed.

A high level of code obfuscation allows the program to hide from most antivirus programs. VirusTotal Scanner shows only 20% detection.