Infected NES games for Android steal your data, text your friends, ask for cash

2 min read
ExpressVPN

A nostalgic speed run through Super Mario Bros. on your Android phone could cost you more than a few extra lives, according to a recent report from Palo Alto Networks.

Gunpoder is a nasty family of malware that sneaks in undetected by many antivirus programs under the guise of adware. It’s packaged on classic NES game apps with Airpush, an adware library with many legitimate advertisements. Airpush tells Palo Alto Networks its platform was abused by Gunpoder and it is not responsible for the virus.

How Gunpoder Works

Victims download infected emulated NES games like Super Mario Bros. in the form of .apk files outside of the Google Play Store. These games are not sanctioned by Nintendo, instead using an open-source emulator framework called Nesoid. Once installed, malicious ads start collecting information off your phone.

Gunpoder steals your bookmarks, browser histories, and contact lists. It can then SMS your contacts with a link to download the app, with the message, “a fun game , ^_^ <link>”. The malware also pushes fraudulent advertisements disguised as Facebook pages, which ask you to fill out surveys and install more apps in order to receive a gift.

To make things worse, the app also prompts you to pay for a lifelong license on launch using PayPal or Skrill. Clicking the “cheats” button, which is usually free, also opens the payment dialog. Granted, you’d have to be pretty gullible to pay the 49 cents as the malware’s message is poorly written (”once pay, lifelong owning an incredible arcade game. Great! Certainly!”).

How to avoid Gunpoder

Palo Alto Networks says the trend of repackaging open-source software as harmful apps is a growing one. The easiest way to avoid such attacks is to abstain from app stores that aren’t Google Play. But if you insist on using external app stores, be sure to thoroughly check the app’s permissions, read reviews, and do research on the developer and publisher before installing.

What to do if you think you might be infected with Gunpoder

If you’ve recently been battling Bowser on your Samsung and you think you might be infected, restart the phone in Safe Mode and uninstall the app. In some cases, you may have to disable the app’s administrator status. Find detailed instructions on how to do all this here.

Gunpoder has been identified in thirteen countries so far: the US, Spain, Italy, France, Russia, Thailand, India, Indonesia, Mexico, Brazil, Saudi Arabia, Iraq, and South Africa. Notably, China is missing from that list, and the virus will not send an SMS to users located in China.

How to play Nintendo games without getting infected

Nintendo has been slow to adapt to the smartphone gaming trend, but for those who want to play some classic NES games, plenty of free and safe emulators are available on Google Play. Keep in mind, however, that the ROM files containing the individual games are often not included, and downloading them without paying is akin to piracy.

 

Featured image: Evan-Amos / The Vanamo Online Game Museum (image has been edited)