07/12/2016 | Bochum, Author: Tim Berghoff

Pokémon Go: Catch 'em all – but not at any cost

Some may still know the adorable little pocket critters that were all the rage in the late 90s. Now they’re back as an Augmented Reality game for smartphones. Attackers try to use the popularity of this brand new game for themselves and prey on impatient gamers who cannot wait for the game to be released: at least one malicious version of the app has been discovered.

People who freeze on the spot and intently stare at their smartphone displays, either in shopping malls or at the side of the road – and then walk on again. You may hear some mutterings on the lines of “Just another Pidgey”. The reason for this strange behavior is a game called Pokémon Go. Originally published by Nintendo for their Game Boy platform, the game makes a big comeback on smartphones, as an Augmented Reality game, where the real world and the realm of the game meet. You catch cute little animated animals, but you need to go out of the house for that and physically go to the place where the animals are waiting, whether it’s in public parks, at the side of the road or at the mall. The developers give avid collectors of these little Japanese animals a new chance to live out their passion.

The malicious app itself

The craze around the game was also a call to action for some criminals: in a file sharing network, a version of the app installer was found that contained a remote control for Android devices. It appears that the legitimate app was repackaged with some added malware using a tool called “DroidJack”. The tool itself has legitimate use cases for developers, but in this case it was used to add a malicious piece of software called “AndroRAT”.

The malware first appeared in 2012/2013 and was already reported about in G DATA's Mobile Malware Report H1/2013. Devices infected with this RAT (Remote Access Tool) give up a lot of personal information to an attacker, including but not limited to contacts lists, logs and GPS coordinates. Attackers can even turn on the microphone and camera remotely. Data which was mined from an infected device can be sold for profit – blackmailing based on audio or video recordings is also a possibility. The permissions requested by any app are displayed when downloading it from Play Store. At this point, cautious users can already tell suspicious apps. Current versions of the Android operating system will also ask the user to confirm each permission when first running the app. 

It is also worth noting that the version of the app that is available to our researchers is signed using an expired certificate. The certificate holder also runs a blog, which seems to have been inactive since 2014. We cannot ascertain whether the manipulated app was distributed by the individual or if certificate was stolen and abused. In any case it is unwise to sign an app with an expired certificate.

G DATA customers are protected from the malicious app which is detected as “Android.Trojan.Kasandra.B” 

Attackers like following trends

In general, these events demonstrate that criminals are highly adaptable and can react to current trends very quickly, such as an eagerly awaited game.

To spread this malware, its makers rely on the air of exclusiveness that comes with running a game which officially is not on the market yet – the phenomenon is similar to what record collectors experience when they acquire a specific hand-numbered limited edition of an album. 

A player installs the manipulated app and might give up information in the process that was never intended to be seen by anybody else. Other actors are likely to jump on the band wagon to profit from the enthusiasm with which the game was anticipated.

Since its launch, Pokémon Go has been downloaded over 5.000.000 times worldwide. According to statistics portal SimilarWeb, within two days the app was installed on 5.16% of all Android devices in the US. To add a bit of perspective: the popular dating app ‘Tinder’ is only installed on a little over 2% of all devices. 

Pokémon Go is also set to break other records as well: SimilarWeb observations say that around 60% of all US installations of the game are being used actively on a daily basis. When compared to Twitter’s app, they predict that Pokémon Go might very soon have more active daily users than the popular 140-characters-per-message service. 

All this advocates the use of caution during the time immediately before a highly anticipated game or other app. 

Tips to stay safe while playing

Here are seven tips that will keep you safe which on the hunt for Pidgey and other Pokémon:

  1. Only install apps from trusted sources!
    The malicious app was distributed outside the official Google Play Store. This means that the app can only be installed when explicitly allowing the installation of apps from unknown sources. 
  2. Protect your mobile device with a security solution!
    A mobile device, just like your PC at home, must be equipped with a comprehensive security solution to fend off digital attacks. 
  3. Check the permissions requested by an app during installation!
    Illegitimate apps will try to secure additional permissions. Apps that request permission to use services that may cost you money or access to audio recording should always be put to scrutiny. Current Android versions will also ask you to confirm the permissions when first running the app.
  4. Be on your guard when on the hunt, both online and offline!
    The real world can be a dangerous place for Pokémon trainers - especially if you are on the hunt for a rare Pokémon and end up standing in the middle of a street. 
  5. Think first, then go on a hunt! 
    No game is perfect and can contain minor glitches. Should a Pokémon be located near a steep decline, it’s always better to leave it be than to risk injury. Also, avoid hunting for Pokémons in ‘shady areas’ – you can never rule out that there is a real-life thief who is after your smartphone. 
  6. Think of your privacy!
    The game needs the GPS coordinates of your smartphone or tablet PC in order for it to work. Any data collected in this process is available to the developers. Screen shots from the game posted on the web also can give away your current location.
  7. Avoid ruining your finances! 
    In many games you can buy in-game items for real currency. Those items give you an advantage inside the game. Such purchases can get out of hand if they go unchecked. We recommend either disabling in-app purchases altogether or at least carefully monitoring them and checking your invoices.

Share this article

G DATA | Trust in German Sicherheit