What you may have missed in Pokemon Go

You are probably running to catch your next Pokémon and we can’t blame you, this game is so much fun! But take notice, the wildly popular app has drawn the attention of hackers, too.

Researchers found a malware-infected version of the Pokémon Go app for Android. The copy was modified to include a RAT. No, it’s not a new type of Pokémon, but a remote access Trojan that gives cyber-criminals full control over a victim’s mobile phone.

Pokémon Go also sparked privacy-concerns as its iOS version requested full access to Google accounts, whenever Google was used as a sign-in option. The issue was quickly fixed. Pokemon Go on iOS no longer requests full access to Google accounts when a Google is used as a sign-in option.

The Pokemon Go augmented-reality game has quickly become a smash hit, with 7.5 million US downloads in the first week. Demand for the game is so high that hackers have taken notice too.

Researchers have found a malware-infected version of the Pokemon Go app for Android. The malware, called Droidjack, is part of the AndroRAT family, a remote access Trojan that provides backdoor functionality and access to people’s mobile devices.

DroidJack is not a new threat. In December 2015, police cracked down on people who bought DroidJack from underground forums where it was sold for around $200. Police have raided homes across Europe and the US, arresting people suspected of installing the mobile phone malware to spy on their spouse, friends or neighbors.

Dwelling on Android threats, Bitdefender identified AndroRAT.A as a top Android threat of the first half of 2015. Like other RATs, this detection allows a remote attacker to control the infected device with a user-friendly control panel – monitor and make phone calls and send SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files on the device.

Another word of warning for players of the game on iOS. The Pokémon Go app requests more permissions than it needs. Signing into the app via a Google login reportedly gives the developer, Niantic, full access to users’ Google accounts, an error the company is working to fix.

We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account”, the company told Ars Technica. “However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access.

The Android version does not have the same issue.

Word of advice for users planning to download this and other popular mobile games:

  1. Beware of rogue applications posing as genuine games. Since Pokemon Go is officially available for download only in the US, Australia and New Zealand, the temptation to download it from third-party market places is huge. Yet copycats may carry malicious code that takes full control of the device, collecting users’ personal data and clicking on ads in the process. In fact, 19.55 percent of global threats are fake apps that install malware or highly aggressive adware, according to Bitdefender’s Android Threat Report for the second half of 2015. So it’s best to download apps only from official app stores.
  2. Install a security solution suitable for your mobile device to identify malicious applications before they’re installed and discover the privacy impact of apps already installed.
  3. When installing an app, review the permissions it requires and remove unnecessary ones. In this case:
  • Head to Google’s security page and look for Pokémon Go.
  • Select Pokémon Go, then click “Remove” to revoke full access.
  • Launch the game on your device.
  1. Check reviews about the app and the developer before installing a new application.
  2. Read the privacy policy or Terms of Service to know how your personal data is handled and who has access to it.
  3. As a general rule, don’t download fake apps posing as software updates, sent in unrequested emails.
  4. Also, avoid jailbreaking your device unless you know how to protect it from threats and can take full responsibility for its security. Jailbreaking will disable the “sandboxing” feature of the iOS, an essential piece of the operating system’s security architecture. Read more about the negatives.

The real-world adventure game also exposes users to physical risks, so stay aware of your surroundings to avoid falling prey to thieves, trespassing and even stumbling on a dead body!

Tips to consider

Whether you’re an avid Pokémon Go player or not, remember to review app permissions when installing any mobile application.

Also, if Pokémon Go is not yet available in your country, don’t rush into downloading it from third-party online markets; who knows what’s lurking in there? Trojans, backdoors and ransomware are not collectibles!


Leave a Reply