S0320: DroidJack

DroidJack is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. [1] [2]

MobileS0320MalwareObject v1.2 Modified Apr 16, 2025, 21:22 UTC (UTC+00:00)

DroidJack matters because it represents Android remote access malware that has been observed masquerading as popular legitimate apps. For security leaders, the practical issue is not the brand name alone; it is whether the organization can identify risky sideloaded or impersonated Android applications before they gain access to sensitive mobile sensors and data such as microphone audio, camera/video, call logs, and SMS messages.

Executive priority

Treat DroidJack as a mobile security readiness checkpoint. Executives should ask whether corporate Android devices, BYOD access paths, and mobile-enabled business processes have controls and evidence for application provenance, risky permissions, and potential data collection from microphones, cameras, call logs, and SMS. This is relevant to business continuity, privacy/compliance evidence, executive and workforce protection, and incident response decisions when mobile devices may handle sensitive communications.

Technical view

ATT&CK lists DroidJack for Android and relates it to Audio Capture, Video Capture, Call Log collection, SMS Messages collection, and matching a legitimate name or location. SOC, mobile security, and IR teams should validate whether they can see Android application inventory, package identity, install source, requested permissions, permission grant state, and suspicious use of sensitive APIs or content providers. Because no official ATT&CK detection text is provided, detection engineering should be based on the related behaviors and local mobile telemetry rather than a single malware-name alert.

Likely telemetry

Android application inventory and package metadata
Application install source and sideloading indicators
Requested and granted permissions, especially RECORD_AUDIO, camera access, call log access, and SMS access
Mobile device management or enterprise mobility management compliance records
Mobile threat defense alerts, if deployed

Detection direction

Validate coverage for Android devices specifically; do not assume desktop EDR coverage applies to this object.
Look for applications using legitimate-looking names, icons, or package conventions while requesting sensitive permissions inconsistent with business need.
Prioritize alerts where sideloaded or non-approved apps request microphone, camera, call log, or SMS access.
Tune false positives carefully because legitimate communication, conferencing, messaging, and support applications may request some of the same permissions.
Correlate package reputation, signing information, install source, permission grants, and user/device context before escalating.

Mitigation priorities

Establish or validate Android application allowlisting and approved app-store policies for managed devices.
Restrict or monitor sideloading where business requirements allow.
Use MDM/EMM policy to review and limit sensitive permissions for microphone, camera, call log, and SMS access.
Maintain mobile application inventory and compliance evidence for audit and incident response.
Educate users about lookalike applications posing as popular or trusted apps, especially outside approved distribution channels.

Analyst notes and limits

The supplied ATT&CK object identifies DroidJack as Android malware observed posing as legitimate applications, with relationships to mobile collection and masquerading techniques. The strongest defensive value is to use this object as a test of mobile visibility and control maturity: can the team prove which Android apps are installed, where they came from, what permissions they have, and whether sensitive mobile data could be accessed?

ATT&CK does not provide tactics or official detection content for this object in the supplied fields. The source material supports Android only and does not support claims about current activity, attribution, prevalence, specific victims, or guaranteed detection. Local device management, mobile telemetry, and forensic evidence are required to assess exposure or compromise.

Official MITRE ATT&CK definition

DroidJack

DroidJack is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. [1] [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 5 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1655.001	Match Legitimate Name or Location Sub-technique	DroidJack included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.CitationProofpoint-Droidjack
Mobile	T1512	Video Capture	DroidJack can capture video using device cameras.CitationZscaler-SuperMarioRun
Mobile	T1429	Audio Capture	DroidJack is capable of recording device phone calls.CitationZscaler-SuperMarioRun
Mobile	T1636.004	SMS Messages Sub-technique	DroidJack captures SMS data.CitationZscaler-SuperMarioRun
Mobile	T1636.002	Call Log Sub-technique	DroidJack captures call data.CitationZscaler-SuperMarioRun

Relationship explorer

All related ATT&CK context

uses · Technique T1655.001: Match Legitimate Name or Location Mobile uses · Technique T1512: Video Capture Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1636.002: Call Log Mobile

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Oct 25, 2017, 14:48 UTC (UTC+00:00)
Modified: Apr 16, 2025, 21:22 UTC (UTC+00:00)
Raw hash: daa5a704a151c140...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Apr 16, 2025, 21:22 UTC (UTC+00:00)	Current bundle	`daa5a704a151…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Zscaler-SuperMarioRun

Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.
Open source URL
[2]
Proofpoint-Droidjack

Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.
Open source URL
[3]
DroidJack

(Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)
[4]
mitre-attack S0320
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use