Super Mario Run Rife with Security Issues

The Italian-American cultural stereotype bonanza we know as Mario Bros. (handlebar mustache, check; work overalls, check; broken English, a-check-a!) is baaaaaack. And as this slogger, who remembers the early, halcyon days of Donkey Kong, knows—it’s freaking addictive!

Super Mario Run launched in mid-December to become the hottest mobile game phenomenon since Pokémon GO, racking up 37 million downloads in its first three days, according to App Annie. As of this week, it has seen a total of 90 million downloads, according to Newzoo.

But there’s a downside. The big issue for our purposes revolves around an age-old saga of a-social-a engineering-a, in culturally insensitive Mario-speak.

Unlike Pokemon GO, which attracted criminals due to its popularity, Super Mario Run is attracting them by virtue of its monetization model. Rather than take a freemium approach with in-app purchases, Super Mario Run is going straight for the plumber pipe on the monetization model. Although free to download, only the first three levels are free. It costs $9.99 to unlock the full game (all 24 levels across six worlds). Needless to say this is pricy for an iOS game (games are on average half that or less), and some investors worry that the high price tag could turn away users. In fact, only 3 million of the 90 million have actually paid for the full game so far.

This leads to a deeper concern beyond Nintendo’s bottom line: The pay wall offers up a huge vector for cyber-criminals looking to dupe the desperate.

Since I can attest to how enticing the game is, I picture this scenario as being common: “I MUST save the princess! What can I do? It’s between paying for the levels or my ramen dinner tonight. Noooooooooo!  The PRINCESS!!!!” It must be worse than Tyrone Biggums going cold turkey.

Unsurprisingly, social media security firm ZeroFOX has identified 341 malicious Super Mario Run accounts and scores of cyber-criminals looking to exploit that monkey on the backs of players. Tactics include advertising free downloads or “hacks” to get around the $9.99 paywall, and fake coin scams. In terms of the latter, the in-game currency of the game is coins that Mario picks up along his travels, and scammers advertise shortened and suspicious links to claim the dubious prize.

Attackers are also simply hijacking trending Mario hashtags to advertise their otherwise scammy links (i.e. “watch Rogue One free now!”).

Meanwhile, according to Zscaler, attackers are taking advantage of the game's popularity and spreading malware posing as an Android version of the game—a savvy tactic considering that right now there’s only an Apple version of the game.

“Recently, ThreatlabZ came across a variant of Android Marcher Trojan disguised as the Super Mario Run app in one of our threat feeds,” the firm explained. “This malware scams users by presenting fake finance apps and credit card page in order to harvest banking details.”

Marcher is a sophisticated banking malware targeting a wide variety of banking and financial apps and credit cards by presenting fake overlay pages. Once the user's mobile device is infected, the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details. Unsuspecting victims will provide the details that will be harvested and sent out to its command and control (C&C) server.

So, while the story of Mario’s monetization woes is being told in the pages of the Wall Street Journal and beyond (a story that should be called “Entitled Millennials Refuse to Pay $10 for Perfectly Good App,” quipped the Boy Genius Report), players should be aware that cyber-criminals are looking for monetization of another sort. So if you see an offer to get around the pay wall, or a download offer for an Android version, Super Mario Run the other way.

Photo © Wachiwit 

What’s Hot on Infosecurity Magazine?