If you are an Android user and a big fan of Super Mario beware: there is no Android version! There has been no official news on the Android version yet, let alone a version of the game. There is, however, a version circulating outside of Google Play market that will steal your bank account.
Right now attackers are taking advantage of the game’s popularity and Android users despair to spread malware posing as an Android version of Super Mario Run as they did in the past for Pokemon GO. The trojan is called Android Marcher and has been around since 2013, mostly targeting mobile users financial information. After installation, the application attempts to trick users with fake finance apps and a credit card page in an effort to capture banking details. The malware also locks out Google Play until the user supplies their credit card information.
In this new variant of Marcher, it can monitor the device and steal login data of regular apps, not just banking and payment apps, and send the stolen data back to command and control (C&C) servers. Facebook, WhatsApp, Skype, Gmail, the Google Play store are all vulnerable. Criminals can exploit these stolen accounts to carry out additional fraud.
Zscaler researchers advice is:
To avoid becoming a victim of such malware, it is a good practice to download apps only from trusted app stores such as Google Play. This practice can be enforced by unchecking the “Unknown Sources” option under the “Security” settings of your device.
We may add to turn on “App Verification”. Verify Apps regularly checks activity on your device and prevents or warns you about potential harm. Verify Apps is on by default, as is Unknown Sources turned off. Verify Apps also checks apps when you install them from sources other than Google Play. Of course, there is a privacy trade-off. Some information has to be sent about the apps you install back to Google.
The main advice is: use common sense. It’s common practice for companies to release official apps versions through Google Play and highly unlikely to do it via any other way.
37 thoughts on “Super Mario Run(s) — Away With Your Money”
uh, thank you….engadget…
WTF Hackaday. Why do you add such fluff to an otherwise good news site?
This is bullshit.
I said news site but Hackaday isn’t really. The above article could be considered news.
This is an article about social engineering and how to become rich.
Did you actually click through and read the Zscaler article? It picks apart the malware app, explaining how it works. Interesting stuff. Of you can just leave a rage comment I suppose.
I clicked on the link that was provided. I didn’t click on any of their links. In my mind an article on a website (in this case: Hackaday), should ideally contain all the information that the article is discussing. If the article requires you to do quite a bit of investigating yourself to find out what’s going on, then in my opinion it’s a bad article.
First of all….HackAday can’t reproduce the article because the authors would not want to be plagiarists, besides the article on zscaller already has all the information that you need in order to understand the problem.
Secondly….you can’t expect HackAday to hold your hand and do everything for you — you are going to have to do work yourself (ie read).
Thirdly,….anything on the Internet could be considered by someone to be some form of news — the point being that is bringing something to your attention and the question would be: ‘Would you have found the zscaller article if it wasn’t posted on HackAday’ — I suppose that answer would be no.
So the intention behind this posting is perfectly vaild….
Firstly, (re)producing an article is not the same as plagiarism. http://www.plagiarism.org/plagiarism-101/what-is-plagiarism/
Secondly, Hackaday is producing articles. Normally an article is a self contained story. In this case it wasn’t.
Thirdly, here’s something interesting for you. It’s up to you to now read, and you wouldn’t have found if if I hadn’t made it available to you. http://www.lmgtfy.com/?q=interesting+hacks
Get my point? Probably not.
@mime….I already knew about Google search, maybe if you took the time to read all of the pages that those search results linked to you’d have a happier life — rather then spending that time trying to make fancy graphics to tell people how to search for ‘interesting hacks’.
More to the point…..I don’t believe that HackADay is going to be your ‘cup of tea’.
Rather…..you will probably want to take your own advice and use Google to search for the things that interest you.
Until then, bye bye….
I expected HAD to discuss the technical details of the app. Instead we just get a “product may contain peanuts; please remember to wear your safety belt” message and a link to the actual details. This is an actual hack, in both the original and modern sense of the word, yet we get no more intelligent discussion than we could from CNN.
“Posted in Arduino hacks”
Oops, yeah that should have been the Android Hacks category. Fixed.
Wonder who sponsored this post?
We should put a project on hackaday.io detailing how to write and distribute such a fine piece of software.
It never fails to amaze me that people want something for nothing and when they get it they seem surprised that in reality it costs more than they realise
– i believe ” free” as in puppies is the appropriate term.
slow news I guess …
wait, I’m not on Kotaku, what is this site called hackaday btw ?
Posted in Arduino Hacks ?
…so that people can use their existing greasemonkey script!
It’s nice to know people do look at the categories. Should have been Android Hacks, fixed!
People download unreleased apps from shady places and are surprised when something bad happens. Can’t fix stupid.
The problem I face, and several other folk, is that there is no middle ground between “Only Verified Source” and “Every site that wants to install and apk”. I had to disable source verification on my work phone so it can get the Mobile Device Management apps on it, which leaves it vulnerable. I wish there was a way to tell it “These are the sources that I trust” so I can add just my company’s App Distribution server.
Its not like my company being cheap or doesn’t have the resources to implement a proper store, we are a 250,000 employee company, 50,000 of which are IT and InfoSec folk, with offices in 150 countries and post $40bn USD in revenue each year…
Yup. Maybe it’ll stop people stealing games.
Big problem with the play store is, even if it is released, it might not be available for your device. Then the play store refuses to display it. It only takes a single near hit but fake to mess up your phone.
I don’t mind the article being here (it’s not the kind of thing I come to hackaday but that doesn’t matter). What I don’t like is the terrible headline, “Fake Super Mario App runs away with your money” at least represents what the article is about. The original headline is pure clickbait.
No news on an Android version…What about the pre-registration you can do on Google Play?
Is there an alternative to hackaday that does not post:
– Neopixel hacks
– “I did it with an Arduino, a resistor, and an LED” hacks
– Life hacks
– maware warnings that start chain letters
I will happily switch.
If you take to reading sites such as hackaday via RSS it is pretty easy to filter according to your whims. I use rss2email so that all my news is funnelled into Gmail, and it is then simple to filter into categories by RSS source and drop individual entries (e.g. any hackaday post mentioning neopixel).
If you want even more control over the feed it also isn’t too hard to use something like huginn to make customized filters and aggregations.
(Personally I haven’t felt the need to filter hackaday but with other sites I do)
Note so software vendors. When you release ‘iPhone exclusive!’ applications you land on my “do not buy anything from again” list.
I’ll be honest, I don’t like the article because it doesn’t add any value to the website in my opinion.
I think it’s safe to assume that most (nearly all?) visitors to this website know that opening random files especially executables from non-trusted sources is a bad idea. The malware itself is also nothing new; it tries to steal money by posing as something else. The latter half of the article that explains how to avoid installing malware is almost insulting to the intelligence of the readers.
The title would have been perfectly fine if the article had some real contents but as it stands now it’s just clickbait without substance.
If anyone disagrees/agrees feel free to reply, but in my opinion this article gets a downvote.
The writer has written perfectly fine articles for this site and as such this ‘attack’ is not directed to him but to articles such as these to prevent them from appearing in the first place on hackaday.
+1 for more content
I come to Hack-a-day to wade through heavy technical details and really understand the low-level nuts and bolts of such things. It would be nice to know if this is just another piece of credential-stealing malware like the other tens of thousands out there, or something new and unique that utilizes some unknown or unexpected infection vector (say an elaborate exploit using undocumented registers in the radio controller.
From what I see, it looks to be the standard crap with the only difference being that it has Mario in it. Not much different than the Flippy Bird-based malware flooded the ecosystem not too long ago.
Lots of people butthurt on a slow hack day. If you don’t like what is being posted then post some submission that you think belongs in hackaday.
That’s like going to a restaurant and when you complain about the charcoal beef the waiter says the next time you should cook yourself.
If you’re going to steel games you’re going to get stuff stolen from you too. They get what they deserve. I’m an app developer, can’t sell anything on Android. Within hours of putting up a paid app it’s cracked and put on free download. So I have to load games with adverts to make a living.
Next time you have a moan about adverts in games, it’s the people stealing them that are too blame.
It’s not all about stealing. I just don’t want Google to lurk around and watch all of my steps (allmost literally). So while I do use android, I uninstalled Play Store, Play Services, etc. That leaves me with no other option than turning the verified sources off. And use F-Droid happily ever after, combined with hopefully trustworthy apk downloader sites for the few closed source apps that I use.
Time for someone to put that malware in a VM and feed it with lots of fake data. :)
Please be kind and respectful to help make the comments section excellent. (Comment Policy)