Industry News

Pokemon Go: privacy and security concerns you should be aware of

Source: Wikipedia

The Pokemon Go augmented-reality game has quickly become a smash hit, with 7.5 million US downloads in the first week. Demand for the game is so high that hackers have taken notice too.

Researchers have found a malware-infected version of the Pokemon Go app for Android. The malware, called Droidjack, is part of the AndroRAT family, a remote access Trojan that provides backdoor functionality and access to people’s mobile devices.

DroidJack is not a new threat. In December 2015, police cracked down on people who bought DroidJack from underground forums where it was sold for around $200. Police have raided homes across Europe and the US, arresting people suspected of installing the mobile phone malware to spy on their spouse, friends or neighbors.

Dwelling on Android threats, Bitdefender identified AndroRAT.A as a top Android threat of the first half of 2015. Like other RATs, this detection allows a remote attacker to control the infected device with a user-friendly control panel – monitor and make phone calls and send SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files on the device.

Another word of warning for players of the game on iOS. The Pokémon Go app requests more permissions than it needs. Signing into the app via a Google login reportedly gives the developer, Niantic, full access to users’ Google accounts, an error the company is working to fix.

We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account”, the company told Ars Technica. “However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access.

The Android version does not have the same issue.

Word of advice for users planning to download this and other popular mobile games:

  1. Beware of rogue applications posing as genuine games. Since Pokemon Go is officially available for download only in the US, Australia and New Zealand, the temptation to download it from third-party market places is huge. Yet copycats may carry malicious code that takes full control of the device, collecting users’ personal data and clicking on ads in the process. In fact, 19.55 percent of global threats are fake apps that install malware or highly aggressive adware, according to Bitdefender’s Android Threat Report for the second half of 2015. So it’s best to download apps only from official app stores.
  2. Install a security solution suitable for your mobile device to identify malicious applications before they’re installed and discover the privacy impact of apps already installed.
  3. When installing an app, review the permissions it requires and remove unnecessary ones. In this case:
  • Head to Google’s security page and look for Pokémon Go.
  • Select Pokémon Go, then click “Remove” to revoke full access.
  • Launch the game on your device.
  1. Check reviews about the app and the developer before installing a new application.
  2. Read the privacy policy or Terms of Service to know how your personal data is handled and who has access to it.
  3. As a general rule, don’t download fake apps posing as software updates, sent in unrequested emails.
  4. Also, avoid jailbreaking your device unless you know how to protect it from threats and can take full responsibility for its security. Jailbreaking will disable the “sandboxing” feature of the iOS, an essential piece of the operating system’s security architecture. Read more about the negatives.

The real-world adventure game also exposes users to physical risks, so stay aware of your surroundings to avoid falling prey to thieves, trespassing and even stumbling on a dead body!

Later edit: Pokémon Go on iOS no longer requests full access to Google accounts when a Google account is used as a sign-in option.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.

2 Comments

Click here to post a comment

Your email address will not be published. Required fields are marked *

  • Firstly I would like to say, it’s really interesting to see how the idea of this game got developed. No one could have imagined that all started with an April Fools' funny joke video released by Google as on April 1st, 2014 where the video was mashing Google Maps & Pokemon, will become a reality at least as a game.

    It’s really sad, that people are so addicted to the game that they are not even bothered about realizing that they are putting their whole online identity at risk, not only with this game but also with other such things like downloading and installing any of the application without giving a look on its security. Apart from this, the worst thing for this particular Pokemon Go game is that, when people share news that this game is making their smart phones vulnerable to ongoing cyber-crimes, they don’t bother to listen to it, and just continue with this game.

    It’s quite shocking to know that game has gain such a big popularity that Players of Pokemon Go are looking for critters everywhere, including some places that are considered to be hallowed ground and inappropriate for gaming such as Church, The United States Holocaust Memorial Museum, Arlington National Cemetery, the Los Angeles Museum of the Holocaust, the 9/11 Memorial in New York City, the Vietnam Veterans Memorial in Washington and monuments in national parks.

  • Hello! I've been following your weblog for some time now and finally got the bravery to go ahead and give you a shout out
    from Atascocita Tx! Just wanted to tell you keep up the fantastic
    work!