According to Symantec and F-Secure blogs, malicious "Super Mario Bros." app appears in Google Play for several days. It looks like a action game, but after installation completed, you will see icon display "Mario HD Wallpaper" as in Figure 2. Google Play has removed this app and some related apps with the same developer, but you can find the apps in 3rd-party market as in Figure 1. This app uses 2-stage or multi-stage infection technique in order to evade Google Play review. Simply speaking, the first stage app is usually harmless, but the second stage will download some malicious contents or another malicious apk to install.

In this app(Super Mario Bros.), we found 3 links to drop box are malicious, they all point to (http://dl.dropbox.com/u/87265868/Activator.apk) !

 

Obviously, you can see the second stage is to download "Activator.apk" and install. After installation completed, "Activator" will be launched and send premium-rate SMS (target Eastern-Euorpean area) and finally un-install itself.

Figure 1: We discovered it on 3rd-party market.

 

Figure 2: "Mario HD Wallpaper"

 

Figure 3: Russian disclaimer

 

Figure 4: Russian disclaimer

  

Figure 5: AegisLab Antivirus detected

VirusTotal detection rate:

According to the developer information, AegisLab discovered 5 related apps with the same developer and AegisLab Antivirus can detect them all.

By AegisLab