We’ve stumbled across new phising SMS campaign in Czech Republic, distributing Android Application (APK) with Banking Trojan Marcher, distributed from domain “dhl-express.online” (DHL is already aware of the issue). In Czech republic targets ČSOB Android applications SmartBanking for CZ and SK markets (cz.csob.smartbanking and com.zentity.sbank.csobsk).
SMS will be delivered from sender “Info” (no phone number), this is original text:
“Vazeny kliente DHL, vase zasilka nemuze byt dorucena z duvodu necitelne adresy. Pro zmenu adresy pouzijte nasi aplikaci: http://dhl-express.online/app.apk”
App (current variant from this morning, 2017-02-13), will connect your app into Botnet “MUCHTHENWERESTO”, and then will try to steal access details for various banking products, including Google Play, Facebook, Instagram, Skype, Viber, WhatsApp Messenger.
How to protect yourself? Do not download or install any applications from other sources than Google Play (Play Store).
More about Marcher Banking Trojan can be found here: https://www.securify.nl/blog/SFY20170202/marcher___android_banking_trojan_on_the_rise.html
App we found this morning has SHA256 fingerprint (checksum): 3d546feef23688ad78026bb1ececd15a88eb413df974f8b300ffb1e5f0729d4b