Earlier last year, we talked about how cybercriminals took advantage of the popularity of Pokemon Go to launch their own malicious apps. As 2016 comes to a close, we observe the same thing happening to another of Nintendo’s game properties: Super Mario.
The Super Mario franchise has been a key part of Nintendo’s video game business, with multiple title releases across different platforms since the mid-80s. However, despite the growth of the mobile gaming market, Nintendo held off on creating any Super Mario game for mobile platforms. This changed in September 2016, when Nintendo announced the release of Super Mario Run on iOS and Android. The iOS version of this game was launched on December 15, 2016, with an Android release scheduled next year.
In advance of any official release, cybercriminals have already released their own Mario-related apps. Since 2012, we have found more than 9,000 apps using the Mario name on various sources online. About two-thirds of these apps show some kind of malicious behavior, including displaying ads and downloading apps without the user’s consent. Since the start of the year we have detected these malicious apps approximately 90,000 times, most of which were downloaded by users in the following countries:
Fake Apps Posing As Mario Games
Most of the malicious apps that we found simply display advertising. However, others install unwanted or unneeded apps onto the user’s device. We’ll take a look at two of these malicious apps.
One of the apps is a “Super Mario” app detected as ANDROIDOS_DOWNLOADER.CBTJ. It is distributed via third-party app stores:
Figure 2. Fake “Super Mario” app
When the user tries to run this app, the game doesn’t start. It claims an update is needed, and users are prompted to install another app:
Figures 3 and 4. App downloading “update”, permissions of 9Apps
This newly installed app is called “9Apps”, which is an app used by a third-party app store. While this app may not be malicious, it is still an unneeded app that is installed on the user’s device.
However, there are more malicious cases. We found another malicious Mario app, which we detect as ANDROIDOS_DOWGIN.AXMD. It also calls itself “Super Mario” and comes from a third-party app store.
Figure 5. Permissions of malicious app
The following screen is displayed upon starting up after installation. The installation allows users to play an emulator version of the original Super Mario game:
Figure 6. In game screenshot
However, it does exhibit malicious and unsolicited activities. It creates unnecessary icons, displays pop-up and banner ads, installs other apps, and performs other intrusive activities without any input from the user.
Figure 7. Pop-ups and ads displayed
Figure 8. Fraudulent security warning
Figure 9. Sample banner ad
Clicking on these ads or icons will direct users to either adult sites or malicious sites. In either case, the goal is to get users to install various apps. While some of these apps are perfectly legitimate, some are suspicious apps distributed by third-party app stores, including more malicious apps that even request for administrator rights.
Solution and Best Practices
Cybercriminals frequently take advantage of popular (or anticipated) titles to push their own malicious apps, as we see here. We strongly advise that users avoid third-party app stores to try and download apps, especially if they claim to be the “unofficial” or “unreleased” versions of legitimate apps. These apps are illegitimate in the first place, and the risks to end users are quite high. You can protect your device from inadvertent installations by third party stores or websites by disabling “Allow installation of app from unknown sources” from Android’s security settings.
Activating an app as a device administrator is required to execute potentially malicious activities such as installing apps secretly, or hiding icons and processes from the user. Therefore, when an app asks you to activate themselves as a device administrator, it should be a red flag. Check whether it is appropriate for the app being installed.
Figure 10. Malicious app requesting for admin privileges
Users should only install apps from the Google Play or trusted third-party app stores and use mobile security solutions such as Trend Micro™ Mobile Security to block threats from app stores before they can be installed and cause damage your device or data.
Additional analysis/insights by Masashi Yamamoto and Higashi Yuka (Regional Trend Labs)
Indicators of Compromise
The malicious apps mentioned in this blog post have the following SHA1 hashes:
4ba312a6eaf79da9036d4228a43f19c611345a5a (detected as ANDROIDOS_DOWGIN.AXMD)
8373aedc9819ff5dacb0fc1864eeb96adc5210b2 (detected as ANDROIDOS_DOWNLOADER.CBTJ