back to article Flash. Bang. Wallet: Marcher crooks target UK Android users

Miscreants behind the Marcher mobile malware have begun targeting UK banking customers. The trojan - which already targets banks in other countries, including Germany, Austria, France, Australia and Turkey - has added nine major UK bank brands onto its roster, IBM's X-Force security research team warns. Marcher is an Android- …

  1. WolfFan Silver badge
    Facepalm

    why it's Droid-only

    Marcher spreads to devices via spam emails and text messages that trick prospective marks into thinking they are downloading a Flash update.

    iOS doesn't do Flash. Is there a way to kill Flash dead, dead, DEAD on Android? Please?

    1. handle

      Re: why it's Droid-only

      Except this isn't, for once, a Flash vulnerability. It appears to be another vector which just pretends to be something to do with Flash in order to get the user to execute it. 99% of Apple users won't know their device doesn't use Flash so would behave in the same way anyway.

    2. Anonymous Coward
      Anonymous Coward

      Trick you into downloading a "flash update"

      Because flash is so compromised, PC users (who still have flash installed) are used to seeing notifications for updates all the time. If it they didn't use "flash update" as the reason, they could have used "Java update" or "adobe reader update" as those are just as noisy.

  2. David Roberts

    If you are using your phone for 2FA

    Probably not a good idea to use it for banking as well.

    The two factors should be as seperate as possible.

    1. Paul Crawford Silver badge

      Re: If you are using your phone for 2FA

      Indeed, the "2" in 2FA is the assumption that both channels are not compromised by the same folk.

      Using your phone for both blows that out of the water, but you know for some its is the only "computer" they have so it is used, and sadly probably has less patching available than most XP boxes...

    2. Kernel Silver badge

      Re: If you are using your phone for 2FA

      You would think so - but I was recently slagged off in a newspaper's on-line forums by an "IT security professional" who was convinced that the safest way to do on-line banking was by using the bank's free phone app as opposed to the two channel authentication method I had suggested - still, my money is still where it's supposed to be, hopefully hers has migrated elsewhere by now.

    3. handle

      Re: If you are using your phone for 2FA

      When 2FA becomes sweet FA...

  3. handle

    Verification image

    Santander (and probably others) has for a long time shown you an image previously selected by them, and a phrase previously entered by you, after you have entered your customer number, but before you enter your secret information. Assuming the user is awake, this ought to defeat attacks which present the same spoof site to every user.

    1. Charles 9 Silver badge

      Re: Verification image

      But it's a quick step to doing MITP, secretly stepping in between the actual app and the user and logging everything the user sees and does so as to defeat that kind of authentication. And as noted, you can't use another factor for authentication when the phone is the ONLY factor they frequently have. You can't do two-factor authentication without a second factor, after all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020