The Marcher Trojan in Android was recently identified masquerading as the recently released Super Mario Run mobile game in Apple’s iOS warns Zscaler security researchers.
Even though the Nintendo released the Super Mario Run mobile game available for the iOS users, but it is still not available for the Android market. The cybercriminals are taking advantage of this situation to spread the malware to the Android devices. A very similar thing happened last year with the Pokemon GO application that is when a backdoored variant emerged a week after the mobile game was released for iOS.
Instead of installing an official game, so-called Super Mario Run application for Android was designed to install Marcher malware. Marcher is a sophisticated banking malware that is capable of stealing victims’ banking and credit card information. For that, the Trojan uses fake overlay pages on top of legitimate applications.
“Once the user’s mobile device has been infected, the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details. Unsuspecting victims will provide the details that will be harvested and sent out to the malware’s command and control (C&C) server,” says Zscaler.
Once the malware is installed on a victim’s device, it asks for multiple permissions, including administrative rights. If a victim provides such details, the malware can start performing its malicious activities.
Previously, the Trojan was seen targeting well-known in United Kingdom, Australian, and French banks, but the new variant is aiming at account management apps and well-known banks. The new iteration was also observed presenting fake credit card pages to users once they open the Google Play store on their devices.
“The malware locks out Google Play until the user supplies the credit card information,” the security researchers warn.
However, because the banking overlay pages served by the command and control (C&C) server were not functioning properly during the analysis, the security researchers believe that the malware was still under development. The new variant also packs a new obfuscation technique, with all important string characters delimited with ‘<<zB5>>’.