Pokemon GO trainers should prepare for trouble and make it double after researchers spotted villains using the app to steal more than pocket monsters and even raising privacy issues within the app itself.
Proofpoint researchers discovered a malicious Android version of the application, carrying the DroidJack trojan, on third-party file sharing sites that was uploaded on July 7, less than 72 hours after the game was officially released in New Zealand and Australia, according to a July 7 blog post.
The remote access trojan (RAT) could virtually give an attacker full control over a victim’s phone.
Researchers said the malicious app was most likely targeting users who were in a rapid dash to side-load the app before it was released in their region, since the app wasn’t globally released simultaneously.
To make matters worse, large media outlets reportedly offered instructions on how to download the game from a third party with some going as far as providing instructions on how to install the APK, according the post.
Trainers worried that they might have caught the malicious version have a few options to attempt to eradicate the threat, researchers said, including checking the SHA256 hash of the downloaded APK and compare it to the hash of the malicious app, although researchers warn this may have since been updated.
Users can also check the permissions granted to the app and ensure their app isn’t requesting more permission than the legitimate app requests.
The malicious version of the app requests permission to read web bookmarks and history, change network connectivity and disconnect from Wi-Fi, view Wi-Fi connections and retrieve running apps run at startup.
Tim Erlin, Tripwire senior director of product management, told SCMagazine.com that a popular app that’s not available in some places is a near-perfect target for crafting a malware delivery strategy.
“When it comes to malware, you really don’t want to catch ’em all,” Erlin said via emailed comments. “People have proven time and time again that they’ll click recklessly to get access to new, prohibited or early-release software. Attackers have proven time and time again that they’ll find a way to infect that software.”
The app itself has raised concerns among some researchers over the permissions it requests.
Independent Security Researcher Adam Reeve noted that app requires full Gmail account access, in a July 8 blog post.
This means that Pokemon GO and Niantic, the company that developed the app, has permission to read emails, send emails as the user, access all Google drive content and more.
“When a developer sets up the “Sign in with Google” functionality they specify what level of access they want – best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information,” Reeve said.
Google and Niantic have since stated that “full access”counterintuitively means nothing of the sort and independent researchers reportedly confirmed that the app only requests basic permissions, according to the Guardian.
The issue reportedly stems from Niantic’s use of an outdated, unsupported version of Google’s shared sign-on service that skips the permission granting steps which prompted Google to default to warning users that the app had “full access” to their accounts.
On July 12, the companies issued an updated version of the application that specified that the game only requested limited permissions.
Separately, bandits looking for real money in their quest to denounce the evils of truth and love were arrested for allegedly using the app to aid in a series of armed robberies. By adding a lure module to a Pokestop they attracted players to remote locations where they were robbed, according to a press release on the O’Fallon, Missouri Police Department Facebook page.
The Pokémon Company International and Niantic, Inc. told SCMagazine.com that they are aware of some incidents.
“We encourage all people playing Pokémon GO to be aware of their surroundings and to play with friends when going to new or unfamiliar places,” the company said in an emailed statement. “Please remember to be safe and alert at all times”
Malwarebytes researchers also warned users of physical threats like this along with scams that offer free items from the game such as “Pokecoins,” according a July 11 blog post.
“The real world dangers posed by careless playing are potentially bad enough without becoming tangled up in online shenanigans claiming to offer the GDP of a small country in Pokecoins,” the post said.
UPDATE: This story has been updated to include information about the application only requesting basic permissions.