Fake Super Mario Run App Steals Credit Card Information

By | April 20, 2017

By Jordan Pan and Masashi Yamamoto

Trend Micro has recognized extra malicious Android apps abusing the title of the favored mobile sport Super Mario Run. We earlier reported about how faux apps have been using the app’s recognition to spread; attackers have now launched variations of these faux apps that steal the user’s financial institution card information.

Super Mario Run is a mobile sport that Nintendo first launched on the iOS platform in September 2016, adopted by the Android mannequin on March 23, 2017. Mobile video games have always confirmed to be engaging lures for cybercriminals to get prospects to receive their malicious apps and doubtlessly undesirable apps (PUAs). This is simply not the foremost time that the title of a well-liked sport was abused; we’ve talked about how the recognition of Pokémon Go was equally abused.

Based on suggestions from the Smart Protection Network™, we noticed greater than 4 hundred of these apps inside the foremost three months in 2017 alone. In the identical time frame, we noticed 34 faux apps explicitly named “Super Mario Run”—it’s a noteworthy trend, as we noticed the foremost of these solely in December 2016.

In this publish we’ll focus on the habits of a mannequin new financial institution card stealing variant named “Fobus” (detected as ANDROIDOS_FOBUS.OPSF).

Fobus was distributed through third-party app stores. As is the norm, it asks for various permissions:

Figure 1. Fake app requesting permissions

During the set up process, it additionally asks for itself to be activated as a instrument administrator:


Figure 2. Fake app requesting system administrator privileges

After it is effectively installed, it gathers delicate information corresponding to a consequence of the user’s mobile number, contact information, location, and SMS messages from the device. The device administrator privileges permit it to cowl its personal icon if the person tries to run the faux app, which has the identical icon as a consequence of the exact Super Mario Run app. This additionally makes uninstalling the faux app extra difficult. No mannequin of the sport is definitely installed.

The exact aim of this app is to steal financial institution card information. When Google Play is launched with this app installed, a faux visual display unit pops up and asks the person to enter their financial institution card information. Even if person tries to click on on the grayed out space inside the background, the pop-up can not be closed; the person has no different however to entry Google Play by offering financial institution card information into the field.

Figure 3. Pop-up when opening Google Play

The app goes up to now as to look at if the entered card quantity is a reliable one. The first six digits identifies the issuing community of the cardboard (i.e., Visa, Mastercard, etc.), and the app shows the picture of the relevant network. It additionally makes use of the Luhn algorithm to look at if the quantity is valid. If an invalid quantity is entered, it shows an error message saying “Incorrect financial institution card number”.

Figure 4. Verification of financial institution card number

If a reliable card quantity is entered, the app then shows extra fields asking for the cardboard holder’s name, the card’s expiration date, and safety code—information that is positioned on the cardboard itself.

Figure 5. Request for extra card information

When the person completes this information, it is going to ask for means extra information, this time associated to the user: the user’s birthday, address, and telephone number. After moving into all of the information, the person can lastly entry Google Play.

Figure 6. Request for extra person information

The app additionally allowed a distant attacker to reset the device’s PIN; this was accomplished through instructions issued by a command-and-control (C&C) server. This allowed an attacker to lock the person out of their very personal device. This C&C server additionally receives the financial institution card information stolen from the person inside the earlier steps.


Cybercriminals continuously revenue from well-liked and hotly anticipated titles to push their very personal malicious apps. These are usually distributed through third-party app stores. Some prospects might make the most of such app shops to receive “unreleased” variations of reliable apps, or to buy apps for free. These apps are illegitimate inside the foremost place, and the risks to finish users are pretty high. We strongly advise that prospects receive and set up apps solely from reliable app shops corresponding to Google Play or trusted third-party app store.

In completely different cases, an attacker might even current a faux app retailer that resembles Google Play. Alternately, a message supposedly from a buddy despatched through social media might lead to a malicious app. Disabling the “Allow set up of apps from unknown sources” setting prevents apps inadvertently downloaded these methods from being installed. By default, this setting is about to off. Only flip it on in case you acknowledge you are placing in an app from a trusted third-party app store.

To carry out malicious habits corresponding to placing in completely different apps on the user’s system with none person enter and consent, or hiding icons and processes, an app wants system administrator privileges. Legitimate apps seldom require these; prospects ought to double look at every time an app asks for them. This is very true of games, which do not require system administrator privileges. A “game” asking for these privileges is liable to be malicious or a PUA.

Trend Micro solutions

Users ought to solely set up apps from the Google Play or trusted third-party app shops and use mobile safety options such as Trend Micro™ Mobile Security to block threats from app shops earlier than they’re usually put in and set off harm your system or data.

Enterprise prospects ought to think about an reply like Trend Micro™ Mobile Security for Enterprise. This consists of system management, information protection, software management, compliance management, configuration provisioning, and completely different options so employers can steadiness privateness and safety with the pliability and added productiveness of BYOD programs.


Fake Super Mario Run App Steals Credit Card Information

Please check this great service at: http://www.test-net.org/services/bandwidth-meter/ or visit FREE SERVICES menu

[Total: 0    Average: 0/5]