A variant of the Marcher banking trojan is targeting Android users by masquerading as a mobile Adobe Flash Player app.
This version of the malware arrives via popcash[dot]net, an advertising network which is known to serve “popunder” ads that display behind a main browser window so that the user sees them when they try to exit.
The ads drop malware payloads that pose as Adobe Flash Player. If a user clicks on the dropper URL, they see a message warning them that their Flash Player is out of date.
The dropper also loads the malware “Adobe_Flash_2016.apk” onto the user’s device, a program which then guides the user to disable security features and allow app installations from unknown sources.
Successful installation prompts the malware to conceal its icon from the home screen, to register the infected device with its command-and-control (C&C) server, and to send important information about the infected device including a list of installed apps to its server.