Poké-Pwned: Faux Pokémon Go App Hijacks Android Phones

pokemon-go-droidjack-appThe world has been taken over by 20-something zombies. Maybe you’ve seen them, roaming your city streets, heads down, hands relentlessly tapping their phones. But these millennial zombies aren’t after brains, instead, they’re searching their neighborhoods for Pikachus, Pidgeys, and a myriad of other Pokémon.

Pokémon GO, Nintendo’s new “augmented reality” game, is taking the world by storm.  Less than a week away from its release, the mobile game, which challenges users to find and catch Pokémon characters superimposed over their real world surroundings, has surpassed Tinder in Android downloads, and is close to surpassing Twitter in daily active users.

The game was first released in Australia and New Zealand on July 4th, followed quickly by a July 6th US release, but the rest of the world was left waiting.

 But where there’s a will, there’s a way, and to that end, a large number of would-be Poké Masters have attempted to bypass regional release dates by side-loading the application to Android via unofficial App stores and websites.

However, in the mad rush to ‘catch ’em all’ some users could catch more than they bargained for, according to a report from security researchers at Proofpoint.

Endpoint_Buyers_Guide_No_DLDon’t Get Hacked. 

Compare Top Endpoint Security Providers with the 2016 Endpoint Security Buyer’s Guide.

  • 24 Vendor Profiles and Capabilities References
  • 10 Top Questions for Buyer’s
  • Complete Market Overview
Download

According to Proofpoint’s report, hackers have created an infected Android version of the newly released game  and could circulate it on unofficial app markets. This Poké-copy was modified to include a malicious remote access tool (RAT) commonly known as  DroidJack, which would “virtually give an attacker full control over a victim’s phone.”

Proofpoint found the malicious Android application package (APK) on a file repository but hasn’t yet found any malicious versions of the game circulating on app services.

Proofpoint recommends that gamers avoid potential infection by getting the game through the Play store (even if that means waiting), but also noted that savvy users can identify malicious copies simply by checking the list of permissions granted to the Pokemon Go game.

Though the authentic version of the game has some pretty extensive permissions requirements, malicious copies of the game go even further, requiring access to wireless network connections, and the ability to view web browsing. You can check the  full list of permissions differences here.

Though the malicious copies of the game haven’t yet affected any players (that we know of), to Proofpoint, the existence of the altered game represents proof-of-concept that “cybercriminals can take advantage of the popularity of applications like Pokemon GO to trick users into installing malware on their devices.”

Bottom line, says Proofpoint: “just because you can get the latest software on your device does not mean that you should.”

Follow Jeff

Jeff Edwards

Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff

One thought on “Poké-Pwned: Faux Pokémon Go App Hijacks Android Phones”

Leave a Reply

Your email address will not be published. Required fields are marked *