Connect with us

Hi, what are you looking for?


Mobile & Wireless

DroidJack Masquerades as Super Mario Run for Android

Less than two weeks after the Marcher Trojan was found masquerading as the unreleased Super Mario Run game for Android, the infamous DroidJack RAT (Remote Access Trojan) has reportedly adopted the same distribution tactic.

Less than two weeks after the Marcher Trojan was found masquerading as the unreleased Super Mario Run game for Android, the infamous DroidJack RAT (Remote Access Trojan) has reportedly adopted the same distribution tactic.

Preying on the popularity of mobile games for distribution isn’t something new for Trojans, especially for DroidJack, which was seen in July 2016 posing as the unreleased Pokemon GO app for Android only days after the game landed on iOS. Within weeks, numerous malicious instances for Pokemon GO for Android were spotted distributing various malware families.

Now, Super Mario Run appears to be suffering a similar fate, where cybercriminals abuse its popularity and user naivety to distribute some of the most dangerous mobile malware out there: the Marcher Trojan and DroidJack RAT.

While Marcher was designed to steal victims’ banking and credit card information, targeting users of well-known banks worldwide, DroidJack (also known as SandroRAT) was designed to record and steal all of a user’s information from a compromised device.

Unsuspecting Android users looking to get a taste of the Super Mario Run game before it officially lands on the platform are instead served the DroidJack RAT, which immediately asks permissions to effectively take over the smartphone or tablet. This includes permissions to tap into call data, messages, videos, photos, contacts, bookmarks and web history, and the like.

The malware can also connect to Wi-Fi and retrieve running apps at startup, can read and edit text messages and even make phone calls, researchers have discovered. Even more worrying is that the malware can execute remote commands to spy on users by taking photos, recording video, recording calls, and the like.

Zscaler researchers also reveal that the RAT is able to extract WhatsApp data from the infected devices. All of the gathered information is stored in a database and is then sent to the command and control (C&C) server. The URL for the server is hardcoded in the malware’s code, the researchers also say.

Advertisement. Scroll to continue reading.

“The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware. In this case, like others before, the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT. As a reminder, it is always a good practice to download apps only from trusted app stores such as Google Play,” Zscaler concludes.

Users can head to the Security settings of their devices to uncheck the “Unknown Sources” option and prevent the device from installing applications coming from sources others than trusted app stores. They should also make sure they always pay attention to the permissions newly installed applications ask for, because these are often a dead giveaway when it comes to malicious code.

Related: Fake Super Mario Run for Android Installs Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.