ATT&CKcon 6.0 is coming October 14-15 in McLean, VA and live online. To potentially join us on stage, submit to our CFP by July 9th

DroidJack

DroidJack is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. ^[1] ^[2]

ID: S0320

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.2

Created: 25 October 2017

Last Modified: 16 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1429		Audio Capture	DroidJack is capable of recording device phone calls.^[1]
Mobile	T1655	.001	Masquerading: Match Legitimate Name or Location	DroidJack included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.^[2]
Mobile	T1636	.002	Protected User Data: Call Log	DroidJack captures call data.^[1]
		.004	Protected User Data: SMS Messages	DroidJack captures SMS data.^[1]
Mobile	T1512		Video Capture	DroidJack can capture video using device cameras.^[1]

References

Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.

Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.

DroidJack

Mobile Layer

Techniques Used

References