{
	"id": "06d18308-ced6-41dd-9951-2d879ff34b96",
	"created_at": "2026-04-06T00:06:28.546356Z",
	"updated_at": "2026-04-10T03:20:58.849013Z",
	"deleted_at": null,
	"sha1_hash": "14b113b98078eac71afe0f73e04746e7866994ff",
	"title": "Super Mario Run Malware #2 – DroidJack RAT | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 441992,
	"plain_text": "Super Mario Run Malware #2 – DroidJack RAT | Zscaler Blog\r\nBy Viral Gandhi\r\nPublished: 2017-01-12 · Archived: 2026-04-05 13:51:26 UTC\r\nA few days back, we wrote about an Android Marcher trojan variant posing as the Super Mario Run game for\r\nAndroid. We have found another instance of malware posing as the Super Mario Run Android app, and this time it\r\nhas taken the form of DroidJack RAT (remote access trojan). Proofpoint wrote about the DroidJack RAT side-loaded with the Pokemon GO app back in July 2016; the difference here is that there is no game included in the\r\nmalicious package. The authors are trying to latch onto the popularity of the Super Mario Run game to target\r\neagerly waiting Android users.\r\nDetails:\r\nName : Super Mario Run\r\nPackage Name : net.droidjack.server\r\nMD5 : 69b4b32e4636f1981841cbbe3b927560\r\nTechnical Analysis:\r\nThe malicious package claims to be the Super Mario Run game, as shown in the permissions screenshot below,\r\nbut in reality this is a malicious RAT called DroidJack (also known as SandroRAT) that is getting installed.  \r\nhttps://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat\r\nPage 1 of 8\n\nhttps://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat\r\nPage 2 of 8\n\nFigure 1: Permissions.\r\nOnce installed, the RAT registers the infected device as shown below.\r\nFigure 2: Infected device registration.\r\nDroidJack RAT starts capturing sensitive information like call data, SMS data, videos, photos, etc. Observe below\r\nthe code routine for call recording. \r\nhttps://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat\r\nPage 3 of 8\n\nFigure 3: Call recording.\r\nThis RAT records all the calls and stores the recording to an “.amr” file.\r\nThe following is the code routine for video capturing.\r\nhttps://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat\r\nPage 4 of 8\n\nFigure 4: Video capturing.\r\nHere, the RAT stores all the captured videos in a “video.3gp” file.\r\nIt also harvests call details and SMS logs as shown below.\r\nhttps://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat\r\nPage 5 of 8\n\nFigure 5: SMS Logs\r\nhttps://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat\r\nPage 6 of 8\n\nFigure 6: Call logs.\r\nUpon further inspection, we have observed that this RAT extracts WhatsApp data too.\r\nFigure 7:Whatsapp data.\r\nThe RAT stores all the data in a database (DB) in order to send it to the Command \u0026 Control (C\u0026C) server. The\r\nfollowing are the DBs created and maintained by the RAT.\r\nhttps://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat\r\nPage 7 of 8\n\nFigure 8: Databases.\r\nWe saw the following hardcoded C\u0026C server location in the RAT package:\r\nFigure 9: Hardcoded C\u0026C.\r\nConclusion:\r\nThe DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public\r\ninterest as a way to spread malware. In this case, like others before, the event of a popular game release became an\r\nopportunity to trick unsuspecting users into downloading the RAT. As a reminder, it is always a good practice to\r\ndownload apps only from trusted app stores such as Google Play. This practice can be enforced by unchecking the\r\n\"Unknown Sources\" option under the \"Security\" settings of your device.\r\nZscaler ThreatLabZ is actively monitoring this malware to ensure that Zscaler customers are protected from\r\ninfection.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat\r\nhttps://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"
	],
	"report_names": [
		"super-mario-run-malware-2-droidjack-rat"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433988,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14b113b98078eac71afe0f73e04746e7866994ff.pdf",
		"text": "https://archive.orkl.eu/14b113b98078eac71afe0f73e04746e7866994ff.txt",
		"img": "https://archive.orkl.eu/14b113b98078eac71afe0f73e04746e7866994ff.jpg"
	}
}