Attackers have created a fake version of Super Mario Run for Android in an attempt to trick unsuspecting smartphone users into downloading the Marcher trojan.
Marcher is a type of banking malware that acquires administrative privileges on every Android device it infects. It then waits for a victim to open a banking or payment app as well as other well-known services installed on their phones such as Gmail and Facebook.
When the targeted app opens, Marcher overlays the app with a fake login page designed to steal the user’s credentials.
To maximize its distribution rate, the Android trojan assumes a disguise. For instance, it masqueraded as a firmware update back in August 2016. Now it appears Marcher has donned a new mask: Super Mario Run for Android.
Android users have been anxious to play Super Mario Run since the mobile game first launched for iOS on 15 December 2016. But it’s unclear when they will get a chance to sate that desire. As of this writing, there’s still no release data for an Android version of game.
In the meantime, attackers are filling that void with their fake Android installations.
No surprise there. Attackers did the same thing with a fake version of Pokémon Go for Windows. It’s only natural they would capitalize on the hype of another hit mobile game.
This particular campaign centers around a malicious file named SuperMarioRun.apk, which has a 22/57 detection ratio on Virus Total as of this writing.
Marcher immediately asks for administrative privileges upon successful installation. It then sits back and waits to strike against its latest targets: banking and account management apps.
That’s not all it does in this campaign, however. Researchers at infosecurity firm Zscaler explain:
“Like previous Marcher variants, the current version also presents fake credit card pages once an infected victim opens the Google Play store. The malware locks out Google Play until the user supplies the credit card information.…”
Zscaler’s research team goes on to note that Marcher’s banking app overlays weren’t working at the time of their analysis. That might be a comfort to users who have already suffered an infection. But attackers could get the fake login pages back up and running in no time.
With that in mind, Android users should be on the lookout for suspicious login pages whenever they attempt to access Gmail, Facebook, and other services. They should also focus on protecting their devices against a Marcher infection in the first place by never installing applications from unofficial marketplaces.
Sure, Google’s Play Store isn’t immune to malware outbreaks. We’re well aware of that fact.
But Google Play does at the very least make an effort to scan their apps for malware. It’s unclear whether (and highly unlikely that) unofficial marketplaces make a similar level of effort.
For that reason, Android users will stay safer in general by downloading apps only from Google Play.