Fake Apps Take Advantage of Super Mario Run Release
This year, we talked about how cybercriminals took advantage of the popularity of Pokemon Go to launch their own malicious apps. As 2016 comes to a close, we observe the same thing happening to another of Nintendo’s game properties: Super Mario.
Save to Folio
Figure 1. Distribution of malicious app downloads posing as Mario-related apps (January - November 2016)Fake Apps Posing As Mario Games Most of the malicious apps that we found simply display advertising. However, others install unwanted or unneeded apps onto the user's device. We'll take a look at two of these malicious apps. One of the apps is a "Super Mario" app detected as ANDROIDOS_DOWNLOADER.CBTJ. It is distributed via third-party app stores:
Figure 2. Fake "Super Mario" appWhen the user tries to run this app, the game doesn't start. It claims an update is needed, and users are prompted to install another app:
Figures 3 and 4. App downloading "update", permissions of 9AppsThis newly installed app is called "9Apps", which is an app used by a third-party app store. While this app may not be malicious, it is still an unneeded app that is installed on the user's device. However, there are more malicious cases. We found another malicious Mario app, which we detect as ANDROIDOS_DOWGIN.AXMD. It also calls itself "Super Mario" and comes from a third-party app store.
Figure 5. Permissions of malicious appThe following screen is displayed upon starting up after installation. The installation allows users to play an emulator version of the original Super Mario game:
Figure 6. In game screenshotHowever, it does exhibit malicious and unsolicited activities. It creates unnecessary icons, displays pop-up and banner ads, installs other apps, and performs other intrusive activities without any input from the user.
Figure 7. Pop-ups and ads displayed
Figure 8. Fraudulent security warning
Figure 9. Sample banner adClicking on these ads or icons will direct users to either adult sites or malicious sites. In either case, the goal is to get users to install various apps. While some of these apps are perfectly legitimate, some are suspicious apps distributed by third-party app stores, including more malicious apps that even request for administrator rights. Solution and Best Practices Cybercriminals frequently take advantage of popular (or anticipated) titles to push their own malicious apps, as we see here. We strongly advise that users avoid third-party app stores to try and download apps, especially if they claim to be the “unofficial” or “unreleased” versions of legitimate apps. These apps are illegitimate in the first place, and the risks to end users are quite high. You can protect your device from inadvertent installations by third party stores or websites by disabling “Allow installation of app from unknown sources” from Android’s security settings. Activating an app as a device administrator is required to execute potentially malicious activities such as installing apps secretly, or hiding icons and processes from the user. Therefore, when an app asks you to activate themselves as a device administrator, it should be a red flag. Check whether it is appropriate for the app being installed.
Figure 10. Malicious app requesting for admin privilegesUsers should only install apps from the Google Play or trusted third-party app stores and use mobile security solutions such as Trend Micro™ Mobile Security to block threats from app stores before they can be installed and cause damage your device or data. Enterprise users should consider a solution like Trend Micro™ Mobile Security for Enterprise. This includes device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs. Additional analysis/insights by Masashi Yamamoto and Higashi Yuka (Regional Trend Labs) Indicators of Compromise The malicious apps mentioned in this blog post have the following SHA1 hashes:
- 4ba312a6eaf79da9036d4228a43f19c611345a5a (detected as ANDROIDOS_DOWGIN.AXMD)
- 8373aedc9819ff5dacb0fc1864eeb96adc5210b2 (detected as ANDROIDOS_DOWNLOADER.CBTJ