Android Marcher has been notorious for stealing sensitive user data from its victims. It has earned this reputation mainly for:
There is a file named "device_admin_new.xml" which is seen in the sample that shows this behavior. Oddly, few old samples have this fiel too but none exhibited this behavior. This indicates that there might be a "work-in-progress" for Marcher that may give us new samples with capability to reset the device.
Marcher sample with new screen stating device reset:
A new Koodous rule has been added for this:
description = "This rule detects new Marcher variant with device admin notification screen"
sample = "b956e12475f9cd749ef3af7f36cab8b20c5c3ae25a13fa0f4927963da9b9256f"
$a = "res/xml/device_admin_new.xml"