A fake Super Mario Run for Android is serving the Marcher Banking Trojan

Zscaler experts have found in the wild a fake version of the Super Mario Run Android App that could install the Android Marcher banking trojan.

Bad news for mobile gamers, security experts at Zscaler have spotted a strain of the Android Marcher Trojan masqueraded as the recently released Super Mario Run mobile game for Apple’s iOS.

Marcher is a sophisticated banking trojan that was used by cyber criminals to steal financial data from the victims.

“Marcher is a sophisticated banking malware strain that targets a wide variety of banking and financial apps and credit cards by presenting fake overlay pages. Once the user’s mobile device has been infected, the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details.” states the analysis published by Zscaler.

Super Mario Run mobile game for iOS device is one of the most interesting projects of the Nintendo, the company developed for Apple devices the notorious game. Anyway, Super Mario Run is still not available for Android, and crooks are taking advantage of this to spread their malicious variant.

The malicious code found by Zscaler installs the Marcher Trojan instead a legitimate version of Super Mario Run for Android.

“In this new strain, the Marcher malware is disguised as the Super Mario Run app for Android. Knowing that Android users are eagerly awaiting this game, the malware will attempt to present a fake web page promoting its release.” continues the blog post published by Zscaler.

The experts also shared the following details related to the threat:

• Name : Super Mario Run
• Package Name : uiq.pizfbwzbvxmtkmtbhnijdsrhdixqwd
• MD5 : d332560f1fc3e6dc58d94d6fa0dab748
• Detections : 12/55(at time of analysis)

When victims try to install the app it asks for multiple permissions including administrative rights.

The current Marcher version targets account management apps and major banks.

The researchers explained that also this Marcher variant presents fake credit card pages when the victims open the Google Play store. The trojan locks out Google Play until the victims supply the credit card information.

Researchers suspect the malware is still under development, they observed the banking overlay pages served by the C&C were not functioning properly at the time of the analysis.

“In the current variant, we have observed a new obfuscation technique, in which all important string characters are delimited with ‘<<zB5>>‘ as shown below.” continues the analysis.

Crooks always try to take advantage of gamers’ euphoria that coincides with the presentation of new games.

The same has happened last year when the Pokemon GO application was presented. Experts from ProofPoint spotted in the wild a backdoored version of the popular Pokemon GO Android App that could allow attackers to gain control over victims’ devices.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Super Mario Run, backdoor)