The Pokemon Go augmented-reality game has quickly become a smash hit, with 7.5 million US downloads in the first week. Demand for the game is so high that hackers have taken notice too.
Researchers have found a malware-infected version of the Pokemon Go app for Android. The malware, called Droidjack, is part of the AndroRAT family, a remote access Trojan that provides backdoor functionality and access to people’s mobile devices.
DroidJack is not a new threat. In December 2015, police cracked down on people who bought DroidJack from underground forums where it was sold for around $200. Police have raided homes across Europe and the US, arresting people suspected of installing the mobile phone malware to spy on their spouse, friends or neighbors.
Dwelling on Android threats, Bitdefender identified AndroRAT.A as a top Android threat of the first half of 2015. Like other RATs, this detection allows a remote attacker to control the infected device with a user-friendly control panel – monitor and make phone calls and send SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files on the device.
Another word of warning for players of the game on iOS. The Pokémon Go app requests more permissions than it needs. Signing into the app via a Google login reportedly gives the developer, Niantic, full access to users’ Google accounts, an error the company is working to fix.
We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account”, the company told Ars Technica. “However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access.
The Android version does not have the same issue.
Word of advice for users planning to download this and other popular mobile games:
- Beware of rogue applications posing as genuine games. Since Pokemon Go is officially available for download only in the US, Australia and New Zealand, the temptation to download it from third-party market places is huge. Yet copycats may carry malicious code that takes full control of the device, collecting users’ personal data and clicking on ads in the process. In fact, 19.55 percent of global threats are fake apps that install malware or highly aggressive adware, according to Bitdefender’s Android Threat Report for the second half of 2015. So it’s best to download apps only from official app stores.
- Install a security solution suitable for your mobile device to identify malicious applications before they’re installed and discover the privacy impact of apps already installed.
- When installing an app, review the permissions it requires and remove unnecessary ones. In this case:
- Head to Google’s security page and look for Pokémon Go.
- Select Pokémon Go, then click “Remove” to revoke full access.
- Launch the game on your device.
- Check reviews about the app and the developer before installing a new application.
- As a general rule, don’t download fake apps posing as software updates, sent in unrequested emails.
- Also, avoid jailbreaking your device unless you know how to protect it from threats and can take full responsibility for its security. Jailbreaking will disable the “sandboxing” feature of the iOS, an essential piece of the operating system’s security architecture. Read more about the negatives.
The real-world adventure game also exposes users to physical risks, so stay aware of your surroundings to avoid falling prey to thieves, trespassing and even stumbling on a dead body!
Later edit: Pokémon Go on iOS no longer requests full access to Google accounts when a Google account is used as a sign-in option.