A few months ago, people have fallen victim of the fake mobile phone game malware Pokemon GO.
Now a new one has surfaced and is a fake version of Super Mario Run for Android. This is clearly a blatant attempt to trick unsuspecting smartphone users into downloading and getting infected with the Marcher Trojan.
The Marcher Trojan has been designed as a banking malware that targets to acquire administrator privileges on an Android device once it gets in. Its basic function is to patiently wait for the user to open a banking or payment app as well as commonly used apps such as Facebook, Gmail and the like.
The main tactic they have been employing is to overlay the app with a fake login page to steal the login credentials.
For malware such as the Marcher Trojan to spread even further and get a wider distribution, they have to gave give it disguise. It was once masqueraded as a firmware update last August 2016. Now, they have gotten in with the Super Mario Run trend.
A lot of Android users have been waiting for Super Mario Run to be released to run on their phones ever since it has been launched for iOS last December 15, 2016.
There has been no information for an Android version to be released soon.
Having that in mind, attackers are capitalizing on filling that void with their fake Android installations.
They are riding the same trend as what they did with Pokemon GO. They basically did it with their fake release of Super Mario Run which is another mobile game hit.
This particular campaign centers around a malicious file named SuperMarioRun.apk, which has a 22/57 detection ratio on Virus Total as of this writing.
Marcher immediately asks for administrative privileges upon successful installation. It then sits back and waits to strike against its latest targets: banking and account management apps.
That’s not all it does in this campaign, however. Researchers at infosecurity firm Zscaler explain:
“Like previous Marcher variants, the current version also presents fake credit card pages once an infected victim opens the Google Play store. The malware locks out Google Play until the user supplies the credit card information….”
Zscaler’s research team goes on to note that Marcher’s banking app overlays weren’t working at the time of their analysis. That might be a comfort to users who have already suffered an infection. But attackers could get the fake login pages back up and running in no time.
Although the app overlays during their analysis did not work, they should be more alert, vigilant and on the lookout for suspicious login pages and attempts to access Facebook, Gmail and other pages that requires logins.
They should never download and install applications from unofficial sources. Even Google Play is not 100% perfect, however, they make up to it by scanning the applications for malware. Other sources may not be doing the same effort to scan the files they are distributing. For now, Google Play is relatively safe compared to downloading from other sources.
