Android banking Trojan malware disguises itself as Super Mario Run

Nintendo's app isn't on Android yet -- but cybercriminals are looking to exploit people who can't wait to download it.
Written by Danny Palmer, Senior Writer

The Trojan disguises itself as Super Mario Run to trick users into giving up bank account details and credit card numbers.

Image: Nintendo

Cybercriminals are taking advantage of Android users who are desperate to play Nintendo's wildly popular Super Mario Run mobile game, in order to spread the notorious Marcher banking Trojan malware.

Nintendo's iconic plumber made his much anticipated debut on mobile devices in December and is currently exclusive to Apple iOS users, who can download the game via the App Store.

But some desperate users are looking for ways to gain access to it on Android by attempting to download versions from third-party websites. And, much like they did when Android users wanted to download Pokemon Go before it was available, attackers are actively looking to exploit that demand by tricking users into downloading the bank information stealing Marcher Trojan.

The Marcher malware has been around since March 2013, and has repeatedly evolved in order dupe unsuspecting victims into installing it, even posing as an Android firmware update, then tricking users into entering their banking details into a fake overlay page which hands them directly to the attackers.

Now, cybersecurity researchers at Zscaler have warned that the Trojan is disguising itself as Super Mario Run in a new effort to steal financial account details and credit card numbers from those most desperate to download the game on Android by bypassing the official Google Play store.

From fake websites advertising the availability of an Android version of Super Mario Run, users are invited to download a phony version of the app, which demands the user grant it various permissions including administrative rights to the device.

By providing administrative access to the infected systems, users are enabling the gang behind Marcher to monitor the device and steal login data of not just banking and payment apps, but also for apps including Facebook, WhatsApp, Skype, Gmail, the Google Play store, and more. Criminals can exploit all of these stolen details to carry out additional fraud.

Due to the constantly evolving nature of the malware, Zscaler researchers have previously dubbed Marcher "the most prevalent threat to the Android devices" and the malware attacks all versions of Google's mobile operating system.

Marcher first originated on Russian underground forums but has since become a global threat, with the Trojan targeting bank customers around the world.

The best way for Android users to avoid falling victim to Marcher is to only download applications from trusted application stores such as Google Play, and not downloading anything from unknown sources.

Read more on cybercrime

Editorial standards