Mercher Android Banking Trojan piggybacks fake Flash Player Update

Mercher uses deceptive techniques to get inside the device

Typically to most Banking Trojans, Mercher developers invest a lot of time in making the virus infiltration as stealthy and unnoticeable as possible. This particular malware exploits software vulnerabilities and infiltrates devices concealed under a legitimate-looking Adobe Flash player update labeled as Adobe_Flash_2016.apk ^[1].

According to the researchers at Zscaler^[2], Trojan-carrying ads were embedded into to user’s web traffic by popcash.net pop-under ad service. Using well-established social engineering tricks, scammers guided users through fake Flash Player Update installation process which disabled Android security shields and allowed the installation of apps from unknown sources.

Eventually, once the malware is dropped on the device, it deletes its icon from the app menu and establishes a connection to its Command & Control server.

Trojan targets over 40 financial applications

Mercher is programmed to run in the background of the Android system in a sort of sleep mode and lurk until the victim opens some of the predetermined applications. These may include any banking-related apps, such as Paypal, NetBank or email applications such as Yahoo or Gmail. In total, the virus targets somewhere around 40 different applications.

So, when the victim launches an app from the target list, the virus will wake up from the sleep mode and immediately drop a fake login screen over the top of the legitimate one. The corrupted login pages are made to look identical to the real ones, so it is not like the users would suspect they are actually giving away they sensitive credentials to the fraudulent scammers.

The submitted data will be immediately transmitted to the perpetrators’ server where it will be stored until the criminals decide to use it to break into your accounts themselves or sell it on the black market.

Recognizing fake Flash Player Update pop-ups

Cyber criminals have been using the strategy of spreading malware via Flash Player Update-imitating pop-ups for ages, and the veterans of the Internet already know that seeing such update alerts online does mean any good. If you are worried you may not be able to recognize the deceptive message and accidentally install the Trojan to your device; you should remember a few simple rules which will diminish the risk of you encountering them:

• Regularly update your software. If you have Flash Player installed always make sure you check for new updates on the OFFICIAL Flash Player website. This way, when you see an update prompt online, you will think twice about clicking it.
• Avoid visiting poor reputation websites. Such sites display a larger number of deceptive ads.
• Install ad-blocker. This method is self-explanatory — the software will block ads, so you won’t see a lot of potentially malicious content as well.
• Make sure your device is adware-free. Adware programs are designed to display advertisements on the victims’ computers since it brings their creators revenue. Most of the time, the content displayed also comes from unreputable third parties. To stay protected and virus-free, install a reliable anti-malware program on your Android device.