Super Mario Run(s) — Away With Your Money

If you are an Android user and a big fan of Super Mario beware: there is no Android version! There has been no official news on the Android version yet, let alone a version of the game. There is, however, a version circulating outside of Google Play market that will steal your bank account.

Right now attackers are taking advantage of the game’s popularity and Android users despair to spread malware posing as an Android version of Super Mario Run as they did in the past for Pokemon GO. The trojan is called Android Marcher and has been around since 2013, mostly targeting mobile users financial information. After installation, the application attempts to trick users with fake finance apps and a credit card page in an effort to capture banking details. The malware also locks out Google Play until the user supplies their credit card information.

In this new variant of Marcher, it can monitor the device and steal login data of regular apps, not just banking and payment apps, and send the stolen data back to command and control (C&C) servers. Facebook, WhatsApp, Skype, Gmail, the Google Play store are all vulnerable. Criminals can exploit these stolen accounts to carry out additional fraud.

Zscaler researchers advice is:

To avoid becoming a victim of such malware, it is a good practice to download apps only from trusted app stores such as Google Play. This practice can be enforced by unchecking the “Unknown Sources” option under the “Security” settings of your device.

We may add to turn on “App Verification”. Verify Apps regularly checks activity on your device and prevents or warns you about potential harm. Verify Apps is on by default, as is Unknown Sources turned off. Verify Apps also checks apps when you install them from sources other than Google Play. Of course, there is a privacy trade-off. Some information has to be sent about the apps you install back to Google.

The main advice is: use common sense. It’s common practice for companies to release official apps versions through Google Play and highly unlikely to do it via any other way.

37 thoughts on “Super Mario Run(s) — Away With Your Money

      1. I clicked on the link that was provided. I didn’t click on any of their links. In my mind an article on a website (in this case: Hackaday), should ideally contain all the information that the article is discussing. If the article requires you to do quite a bit of investigating yourself to find out what’s going on, then in my opinion it’s a bad article.

        1. First of all….HackAday can’t reproduce the article because the authors would not want to be plagiarists, besides the article on zscaller already has all the information that you need in order to understand the problem.

          Secondly….you can’t expect HackAday to hold your hand and do everything for you — you are going to have to do work yourself (ie read).

          Thirdly,….anything on the Internet could be considered by someone to be some form of news — the point being that is bringing something to your attention and the question would be: ‘Would you have found the zscaller article if it wasn’t posted on HackAday’ — I suppose that answer would be no.

          So the intention behind this posting is perfectly vaild….

          1. Firstly, (re)producing an article is not the same as plagiarism.

            Secondly, Hackaday is producing articles. Normally an article is a self contained story. In this case it wasn’t.

            Thirdly, here’s something interesting for you. It’s up to you to now read, and you wouldn’t have found if if I hadn’t made it available to you.

            Get my point? Probably not.

          2. @mime….I already knew about Google search, maybe if you took the time to read all of the pages that those search results linked to you’d have a happier life — rather then spending that time trying to make fancy graphics to tell people how to search for ‘interesting hacks’.

            More to the point…..I don’t believe that HackADay is going to be your ‘cup of tea’.

            Rather… will probably want to take your own advice and use Google to search for the things that interest you.

            Until then, bye bye….

      2. I expected HAD to discuss the technical details of the app. Instead we just get a “product may contain peanuts; please remember to wear your safety belt” message and a link to the actual details. This is an actual hack, in both the original and modern sense of the word, yet we get no more intelligent discussion than we could from CNN.

  1. It never fails to amaze me that people want something for nothing and when they get it they seem surprised that in reality it costs more than they realise

    – i believe ” free” as in puppies is the appropriate term.

    1. The problem I face, and several other folk, is that there is no middle ground between “Only Verified Source” and “Every site that wants to install and apk”. I had to disable source verification on my work phone so it can get the Mobile Device Management apps on it, which leaves it vulnerable. I wish there was a way to tell it “These are the sources that I trust” so I can add just my company’s App Distribution server.

      Its not like my company being cheap or doesn’t have the resources to implement a proper store, we are a 250,000 employee company, 50,000 of which are IT and InfoSec folk, with offices in 150 countries and post $40bn USD in revenue each year…

    2. Big problem with the play store is, even if it is released, it might not be available for your device. Then the play store refuses to display it. It only takes a single near hit but fake to mess up your phone.

  2. I don’t mind the article being here (it’s not the kind of thing I come to hackaday but that doesn’t matter). What I don’t like is the terrible headline, “Fake Super Mario App runs away with your money” at least represents what the article is about. The original headline is pure clickbait.

  3. Is there an alternative to hackaday that does not post:
    – Neopixel hacks
    – “I did it with an Arduino, a resistor, and an LED” hacks
    – Life hacks
    – maware warnings that start chain letters

    I will happily switch.

    1. If you take to reading sites such as hackaday via RSS it is pretty easy to filter according to your whims. I use rss2email so that all my news is funnelled into Gmail, and it is then simple to filter into categories by RSS source and drop individual entries (e.g. any hackaday post mentioning neopixel).

      If you want even more control over the feed it also isn’t too hard to use something like huginn to make customized filters and aggregations.

      (Personally I haven’t felt the need to filter hackaday but with other sites I do)

  4. I’ll be honest, I don’t like the article because it doesn’t add any value to the website in my opinion.
    I think it’s safe to assume that most (nearly all?) visitors to this website know that opening random files especially executables from non-trusted sources is a bad idea. The malware itself is also nothing new; it tries to steal money by posing as something else. The latter half of the article that explains how to avoid installing malware is almost insulting to the intelligence of the readers.

    The title would have been perfectly fine if the article had some real contents but as it stands now it’s just clickbait without substance.

    If anyone disagrees/agrees feel free to reply, but in my opinion this article gets a downvote.

    The writer has written perfectly fine articles for this site and as such this ‘attack’ is not directed to him but to articles such as these to prevent them from appearing in the first place on hackaday.

    1. +1 for more content

      I come to Hack-a-day to wade through heavy technical details and really understand the low-level nuts and bolts of such things. It would be nice to know if this is just another piece of credential-stealing malware like the other tens of thousands out there, or something new and unique that utilizes some unknown or unexpected infection vector (say an elaborate exploit using undocumented registers in the radio controller.

      From what I see, it looks to be the standard crap with the only difference being that it has Mario in it. Not much different than the Flippy Bird-based malware flooded the ecosystem not too long ago.

  5. If you’re going to steel games you’re going to get stuff stolen from you too. They get what they deserve. I’m an app developer, can’t sell anything on Android. Within hours of putting up a paid app it’s cracked and put on free download. So I have to load games with adverts to make a living.

    Next time you have a moan about adverts in games, it’s the people stealing them that are too blame.

    1. It’s not all about stealing. I just don’t want Google to lurk around and watch all of my steps (allmost literally). So while I do use android, I uninstalled Play Store, Play Services, etc. That leaves me with no other option than turning the verified sources off. And use F-Droid happily ever after, combined with hopefully trustworthy apk downloader sites for the few closed source apps that I use.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.