A fake Super Mario Run for Android is serving the Marcher Banking Trojan

Zscaler experts have found in the wild a fake version of the Super Mario Run Android App that could install the Android Marcher banking trojan.

Bad news for mobile gamers, security experts at Zscaler have spotted a strain of the Android Marcher Trojan masqueraded as the recently released Super Mario Run mobile game for Apple’s iOS.

Marcher is a sophisticated banking trojan that was used by cyber criminals to steal financial data from the victims.

“Marcher is a sophisticated banking malware strain that targets a wide variety of banking and financial apps and credit cards by presenting fake overlay pages. Once the user’s mobile device has been infected, the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details.” states the analysis published by Zscaler.

Super Mario Run mobile game for iOS device is one of the most interesting projects of the Nintendo, the company developed for Apple devices the notorious game. Anyway, Super Mario Run is still not available for Android, and crooks are taking advantage of this to spread their malicious variant.

The malicious code found by Zscaler installs the Marcher Trojan instead a legitimate version of Super Mario Run for Android.

“In this new strain, the Marcher malware is disguised as the Super Mario Run app for Android. Knowing that Android users are eagerly awaiting this game, the malware will attempt to present a fake web page promoting its release.” continues the blog post published by Zscaler.

The experts also shared the following details related to the threat:

Name : Super Mario Run
Package Name : uiq.pizfbwzbvxmtkmtbhnijdsrhdixqwd
MD5 : d332560f1fc3e6dc58d94d6fa0dab748
Detections : 12/55(at time of analysis)

When victims try to install the app it asks for multiple permissions including administrative rights.

The current Marcher version targets account management apps and major banks.

The researchers explained that also this Marcher variant presents fake credit card pages when the victims open the Google Play store. The trojan locks out Google Play until the victims supply the credit card information.

Researchers suspect the malware is still under development, they observed the banking overlay pages served by the C&C were not functioning properly at the time of the analysis.

“In the current variant, we have observed a new obfuscation technique, in which all important string characters are delimited with ‘<<zB5>>‘ as shown below.” continues the analysis.

Crooks always try to take advantage of gamers’ euphoria that coincides with the presentation of new games.

The same has happened last year when the Pokemon GO application was presented. Experts from ProofPoint spotted in the wild a backdoored version of the popular Pokemon GO Android App that could allow attackers to gain control over victims’ devices.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Super Mario Run, backdoor)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.