Researchers at TrendLabs of the security specialist Trend Micro have identified several malicious versions of popular Android apps for Super Mario Run game and some of these apps are adept enough stealing credit card information. The new credit card stealing variant named “Fobus” (detected as ANDROIDOS_FOBUS.OPSF) during the installation process, asks for itself to be activated as a device administrator and after it is successfully installed, it gathers sensitive information such as the user’s mobile number, contact information, location, and SMS messages from the device.
The device administrator privileges allow it to hide its own icon if the user tries to run the fake app, which has the same icon as the real Super Mario Run app. This also makes uninstalling the fake app more difficult. No version of the game is actually installed.
The researchers at TrendLabs claimed that “the real purpose of this app is to steal credit card information.” When Google Play is launched with this app installed, a fake screen pops up and asks the user to enter their credit card information. Even if user tries to click on the grayed out area in the background, the pop-up cannot be closed; the user has no choice but to access Google Play by providing credit card information into the field.
The app goes as far as to check if the entered card number is a valid one. The first six digits identifies the issuing network of the card (i.e., Visa, Mastercard, etc.), and the app displays the logo of the appropriate network. It also uses the Luhn algorithm to check if the number is valid. If an invalid number is entered, it displays an error message saying “Incorrect credit card number”.
If a valid card number is entered, the app then displays additional fields asking for the card holder’s name, the card’s expiration date, and security code—information that is located on the card itself.
When the user completes this information, it will ask for even more information, this time related to the user: the user’s birthday, address, and phone number. After entering all the information, the user can finally access Google Play.
The app also allowed a remote attacker to reset the device’s PIN; this was done via commands issued by a command-and-control (C&C) server. This allowed an attacker to lock the user out of their own device. This C&C server also receives the credit card information stolen from the user in the previous steps.
The researchers advised that the “Users should only install apps from the Google Play or trusted third-party app stores and use mobile security solutions to block threats from app stores before they can be installed and cause damage your device or data.”