Less than two weeks after the Marcher Trojan was found masquerading as the unreleased Super Mario Run game for Android, the infamous DroidJack RAT (Remote Access Trojan) has reportedly adopted the same distribution tactic.
Preying on the popularity of mobile games for distribution isn’t something new for Trojans, especially for DroidJack, which was seen in July 2016 posing as the unreleased Pokemon GO app for Android only days after the game landed on iOS. Within weeks, numerous malicious instances for Pokemon GO for Android were spotted distributing various malware families.
Now, Super Mario Run appears to be suffering a similar fate, where cybercriminals abuse its popularity and user naivety to distribute some of the most dangerous mobile malware out there: the Marcher Trojan and DroidJack RAT.
While Marcher was designed to steal victims’ banking and credit card information, targeting users of well-known banks worldwide, DroidJack (also known as SandroRAT) was designed to record and steal all of a user’s information from a compromised device.
Unsuspecting Android users looking to get a taste of the Super Mario Run game before it officially lands on the platform are instead served the DroidJack RAT, which immediately asks permissions to effectively take over the smartphone or tablet. This includes permissions to tap into call data, messages, videos, photos, contacts, bookmarks and web history, and the like.
The malware can also connect to Wi-Fi and retrieve running apps at startup, can read and edit text messages and even make phone calls, researchers have discovered. Even more worrying is that the malware can execute remote commands to spy on users by taking photos, recording video, recording calls, and the like.
Zscaler researchers also reveal that the RAT is able to extract WhatsApp data from the infected devices. All of the gathered information is stored in a database and is then sent to the command and control (C&C) server. The URL for the server is hardcoded in the malware’s code, the researchers also say.
“The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware. In this case, like others before, the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT. As a reminder, it is always a good practice to download apps only from trusted app stores such as Google Play,” Zscaler concludes.
Users can head to the Security settings of their devices to uncheck the “Unknown Sources” option and prevent the device from installing applications coming from sources others than trusted app stores. They should also make sure they always pay attention to the permissions newly installed applications ask for, because these are often a dead giveaway when it comes to malicious code.