Android Marcher
Android Marcher has been notorious for stealing sensitive user data from its victims. It has earned this reputation mainly for:
  • Stealing credit card details
  • Stealing a victim's Google credentials via Google Play
  • Targeting a number of European banks
  • Disabling a number of security apps
  • Spreading via porn websites and Mario Run apps
Something new has been observed in a Marcher sample where upon getting Administrative access to the device if the victim tries to remove the permission it shows a screen with an ominous message. The message says that the device will be reset and all data will be lost if device admin rights are revoked. Currently nothing happens even if a user goes ahead with removing the app, but in future its quite possible that this data removal component is actually implemented.

There is a file named "device_admin_new.xml" which is seen in the sample that shows this behavior. Oddly, few old samples have this fiel too but none exhibited this behavior. This indicates that there might be a "work-in-progress" for Marcher that may give us new samples with capability to reset the device.

Marcher sample with new screen stating device reset:
  • com.constre - 898557907598665a203b50f833abc26c

A new Koodous rule has been added for this:
rule Marcher_new
description = "This rule detects new Marcher variant with device admin notification screen"
sample = "b956e12475f9cd749ef3af7f36cab8b20c5c3ae25a13fa0f4927963da9b9256f"

$a = "res/xml/device_admin_new.xml"