The latest evolution of Marcher malware combines three common security threats into one multi-step attack, Proofpoint researchers warned in a report released Friday. Android devices belonging to banking customers or financial business leaders could be at risk.

The newest form of Marcher pairs credential and credit card phishing with banking Trojans into one scheme, targeting Android users who are also customers of large Austrian banks, Proofpoint found. The current scheme has been ongoing since January, impacting almost 20,000 people, according to the report.

SEE: Information security policy (Tech Pro Research)

Phishing emails are the first step of the attack, using a link to direct users to a fake Bank of Austria page, according to the report. From there, a customer is prompted to enter their banking login information, followed by their email address and phone number.

That contact information is later used by the attackers to send users messages directing them to download the fake “Bank Austria Security App,” or face their account being blocked, the report said.

When downloading the fake app, instructions prompt the user to change their security settings to allow apps with unknown sources to download. The app also requires several permissions, including permission to act as a device administrator, which the report says should rarely be granted to an app.

The fake app downloads and places itself on the screen, appearing with fake Bank Austria branding.

Once granted access to the device, Marcher can now deploy credit card phishing scams, both in and outside of the fake app. For example, the malware will ask for credit card details when logging into the Google Play Store, the report said. Further personal details are requested as well.

“As we use mobile devices to access the web and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here,” the researchers said in the report.

Marcher has been around since March 2013, initiating in Russian forums, and has escalated to a global threat. The malware made headlines a few times earlier this year. In June, a type of the malware was masquerading as a Flash update. In January, it was caught pretending to be an Android version of Super Mario Run.

Banking business leaders and consumers using Android devices to access banking services should be cautious of what they click or download. Be wary of unusual domains, emails, and apps, especially ones asking to change settings or for a lot of user permissions or information.

Security professionals in charge of banking services available on Android devices, regardless of location, should be aware of the threat and work to prevent it from reaching consumers.

The 3 big takeaways for TechRepublic readers

  1. The latest version of Marcher malware combines phishing and Trojans into a single, multi-step scheme to steal banking information for customers and business leaders using Android devices.
  2. The campaign, which has been ongoing since January, begins with a phishing email leading to a fake Bank Austria page.
  3. Businesses, especially in the financial sector, should take steps to inform and protect their Android users to avoid falling victim.