Dozens of malicious Android apps claiming to be the mobile game Super Mario Run have been detected by researchers at Trend Micro.
Some of the apps based on the popular game are capable of stealing credit card information from unsuspecting victims, according to a post on a blog from Trend Micro's TrendLabs team.
The new credit card stealing variant, dubbed Fobus (detected as ANDROIDOS_FOBUS.OPSF), is just another malicious app in a long line of phony apps purporting to be mobile games, such as Pokemon or Mario, that dupe gamers into downloading potentially unwanted apps (PUAs), the researchers said.
The icon is similar to that of the real Super Mario Run game, but rather than receiving the expected game, customers of third-party app stores download the exploit which can siphon out the user's mobile number, contact information, location, and SMS messages from their device...and more.
"The real purpose of this app is to steal credit card information," the researchers stated.
Once clicked on, Google Play is launched and a phony popup screen appears requesting the player's credit card data. From there, the process appears legitimate as the correct credit card brand's logo appears as the app verifies if the number is valid. Another screen then appears requesting the gamer enter the cardholder name, the card's expiration date, and its security code. It then requests further personal information, such as birthday, address and phone number. Once all data is entered, the gamer gains access to Google Play.
However, at this point, remote attackers gain control of the device and can reset the device's PIN – via commands from the C&C server – and lock the user out of the device. At the same time, the C&C server siphons out the user's credit card data.
The solution, said the researchers, is to avoid “unreleased” versions of legitimate apps from third-party stores. The TrendLabs team strongly advised users acquire apps solely from "legitimate app stores such as Google Play or a trusted third-party app store."