Marcher Trojan Uses New Tactic to Infect Android Users | eWeek

Marcher Trojan Uses New Tactic to Infect Android Users

Android security
Mar 11, 2016
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Security firm Zscaler is warning about a new variant of the Android Marcher Trojan that is using Adobe Flash and adult content sites as a way to trick users into becoming infected and giving up financial information.

There are a lot of different vulnerabilities in Adobe Flash—in fact, Adobe just updated for 23 new vulnerabilities this week—but the new Android Marcher Trojan isn’t using an authentic version of Flash or exploiting vulnerabilities that Adobe has already patched. Rather, the Android Marcher Trojan uses a fake version of an Adobe Flash Player installer to infect users.

“The majority of the Marcher Trojan downloads that we are blocking in the cloud are from porn sites,” Deepen Desai, head of security research at Zscaler, told eWEEK. This appears to be a popular social engineering tactic where the user is prompted to install the Flash Player update to view the porn video and the attack cycle can start with an email or SMS.”

The email or SMS message that an infected user will get directs the user to the Google Play store to download an app called X-VIDEO. Users are asked to enter their payment card information in order to get access to X-VIDEO, even though the app is free. The fake payment page does say that “you will not be charged unless you make a purchase,” Desai said.

“We did not see anything malicious in X-VIDEO, and this was also confirmed by Google’s Android team,” he said. “However, this may be a tactic to further convince the user into entering the payment information on the fake Google Play payment page to complete the account setup and download this porn app.”

Desai said Zscaler was able to capture and identify the new Marcher campaign using the Zscaler cloud platform. He added that Zscaler’s in-line antivirus and cloud sandbox ensured protection for its customers. At this early stage, Zscaler has blocked more than 50 payloads from this new Marcher campaign, he said.

The new Marcher Trojan specifically is targeting Android users, and even a fully patched Android isn’t enough to stop it. Google issued its March update for Android earlier this week, providing patches for 19 new vulnerabilities.

“This malware will work fine on the latest Android operating systems provided the user clicks and installs the package, which is usually successful due to the porn lure,” Desai said.

Even though a fully patched Android operating system is still at risk, Desai said there are likely a few things that Google could do to limit the risk to users who click on the malicious link.

“Google may be able to track the download attempts for the X-VIDEO app that comes from the malicious link ‘mms-service[.]info/mms’ redirect to the Google Play store,” Desai said. “This can further be used in identifying and notifying the users of all the compromised Android devices that have installed X-VIDEO due to Marcher Trojan infection.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.