Connect with us

Hi, what are you looking for?


Mobile & Wireless

DroidJack Masquerades as Super Mario Run for Android

Less than two weeks after the Marcher Trojan was found masquerading as the unreleased Super Mario Run game for Android, the infamous DroidJack RAT (Remote Access Trojan) has reportedly adopted the same distribution tactic.

Less than two weeks after the Marcher Trojan was found masquerading as the unreleased Super Mario Run game for Android, the infamous DroidJack RAT (Remote Access Trojan) has reportedly adopted the same distribution tactic.

Preying on the popularity of mobile games for distribution isn’t something new for Trojans, especially for DroidJack, which was seen in July 2016 posing as the unreleased Pokemon GO app for Android only days after the game landed on iOS. Within weeks, numerous malicious instances for Pokemon GO for Android were spotted distributing various malware families.

Now, Super Mario Run appears to be suffering a similar fate, where cybercriminals abuse its popularity and user naivety to distribute some of the most dangerous mobile malware out there: the Marcher Trojan and DroidJack RAT.

While Marcher was designed to steal victims’ banking and credit card information, targeting users of well-known banks worldwide, DroidJack (also known as SandroRAT) was designed to record and steal all of a user’s information from a compromised device.

Unsuspecting Android users looking to get a taste of the Super Mario Run game before it officially lands on the platform are instead served the DroidJack RAT, which immediately asks permissions to effectively take over the smartphone or tablet. This includes permissions to tap into call data, messages, videos, photos, contacts, bookmarks and web history, and the like.

The malware can also connect to Wi-Fi and retrieve running apps at startup, can read and edit text messages and even make phone calls, researchers have discovered. Even more worrying is that the malware can execute remote commands to spy on users by taking photos, recording video, recording calls, and the like.

Zscaler researchers also reveal that the RAT is able to extract WhatsApp data from the infected devices. All of the gathered information is stored in a database and is then sent to the command and control (C&C) server. The URL for the server is hardcoded in the malware’s code, the researchers also say.

Advertisement. Scroll to continue reading.

“The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware. In this case, like others before, the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT. As a reminder, it is always a good practice to download apps only from trusted app stores such as Google Play,” Zscaler concludes.

Users can head to the Security settings of their devices to uncheck the “Unknown Sources” option and prevent the device from installing applications coming from sources others than trusted app stores. They should also make sure they always pay attention to the permissions newly installed applications ask for, because these are often a dead giveaway when it comes to malicious code.

Related: Fake Super Mario Run for Android Installs Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.