Pokémon Go has become a global phenomenon. Everywhere you look, someone is trying to catch a Jigglypuff or gather Razzberries from the nearest Pokestop. The popular phone app, which is available for both iOS and Android devices, is leading a generation of people to try to be the very best – along with being something fun and new for younger gamers, it’s bringing the nostalgia factor to older players who remember their very first encounter with Professor Oak.
But there may be an Ekans in the grass waiting to bite the ankles of unsuspecting trainers. Popularity often comes with a price, and this time, that price is the attention of cyber criminals.
It’s a fake!
Cyber attackers are crafty, and one way they’re pulling the wool over the eyes of Pokémon Go players is by creating a fake app. According to Hackread contributor Ryan De Souza, this Pokémon Go Ditto was in the Android app store masquerading as the real deal – instead, it had been injected with a remote access tool. The app is downloaded onto Android phones using the sideloading capability – meaning it wasn’t an “official” download in the first place. The simple rumor that the game was on the app store in places like New Zealand was enough to make people go to great lengths to download it in their own countries before it was officially released, and the cyber criminals behind the malware-laden app took advantage of their excitement. The malicious app was available on third-party sites less than 72 hours after the game was released.
The RAT that has been injected into this application is called DroidJack or SandroRAT, which allows intruders to take full control of a user’s device when installed. It can take pictures and videos, track your location and modify content on your device, among other troublesome issues.
“The main threat from sideloading applications onto a smartphone is that users must open certain security permissions to install the unofficial software,” wrote iDigitalTimes contributor Flonna Agomuoh. “In particular, users must enable the ‘unknown sources’ options, allowing the device to accept and install third-party software. With this option selected, it users may unintentionally install compromised software onto their devices with the Pokémon Go APK.”
The idea of cyber criminals creating a way to take total control over your device isn’t new, but that doesn’t make it any less frightening. Parties with malicious intent could easily gain access to your location data and other important account details, potentially leading to identity theft or other kinds of fraud. In order to detect this malware on your device, you can check your permissions settings in order to see whether the app has permissions it shouldn’t. There doesn’t seem to be any cure for an infection of this nature yet – so be extra careful what apps you’re downloading.
Not the first of its kind
This isn’t the first time an illegitimate application has taken users for a ride and potentially stolen data. Trend Micro researchers reported earlier this year about a fake Russian banking app called Fanta SDK that was capable of changing users’ phone passwords when they tried to remove or deactivate the app’s admin privileges. The application is available on third-party stores, and people have been downloading it across Russia.
The victims of this malicious application are customers of Sberbank of Russia, according to Sensors Tech Forum. Some users’ bank accounts have been compromised. Once a user notices that the app contains malware and tries to remove the admin privileges, the app changes passwords and empties bank accounts, particularly if the user has multiple accounts with Sberbank.
Another example that draws a closer parallel with the recent Pokémon Go phenomenon would be the slew of imposter accounts that cropped up when the mobile game Flappy Bird grew popular back in 2014. The original game was downloaded over 50 million times, which is most likely why cyber criminals decided to target unsuspecting users with these fake apps. Trend Micro researchers found that the icons associated with these fake apps looked exactly like the original’s. The malicious apps were wreaking havoc with users’ bank accounts by sending hidden messages to premium numbers and causing unwanted charges to their phone bills. So while mobile customers were happily playing their game, the app was sneakily sending messages and wracking up premium fees on their accounts.
The lesson learned here and with the malicious Pokémon Go incarnation should be simple: Don’t download third-party apps unless you’re absolutely sure of the developers’ legitimacy.