Pokemon Go has become a global phenomenon. Everywhere you look, someone is trying to catch a Jigglypuff or gather Razzberries from the nearest Pokestop. The popular phone app, which is available for both iOS and Android devices, is leading a generation of people to try to be the very best – along with being something fun and new for younger gamers, it's bringing the nostalgia factor to older players who remember their very first encounter with Professor Oak.
But there may be an Ekans in the grass waiting to bite the ankles of unsuspecting trainers. Popularity often comes with a price, and this time, that price is the attention of cyber criminals.
It's a fake!
Cyber attackers are crafty, and one way they're pulling the wool over the eyes of Pokemon Go players is by creating a fake app. According to Hackread contributor Ryan De Souza, this Pokemon Go Ditto was in the Android app store masquerading as the real deal – instead, it had been injected with a remote access tool. The app is downloaded onto Android phones using the sideloading capability – meaning it wasn't an "official" download in the first place. The simple rumor that the game was on the app store in places like New Zealand was enough to make people go to great lengths to download it in their own countries before it was officially released, and the cyber criminals behind the malware-laden app took advantage of their excitement. The malicious app was available on third-party sites less than 72 hours after the game was released.
The RAT that has been injected into this application is called DroidJack or SandroRAT, which allows intruders to take full control of a user's device when installed. It can take pictures and videos, track your location and modify content on your device, among other troublesome issues.
"The main threat from sideloading applications onto a smartphone is that users must open certain security permissions to install the unofficial software," wrote iDigitalTimes contributor Flonna Agomuoh. "In particular, users must enable the 'unknown sources' options, allowing the device to accept and install third-party software. With this option selected, it users may unintentionally install compromised software onto their devices with the Pokémon Go APK."
The idea of cyber criminals creating a way to take total control over your device isn't new, but that doesn't make it any less frightening. Parties with malicious intent could easily gain access to your location data and other important account details, potentially leading to identity theft or other kinds of fraud. In order to detect this malware on your device, you can check your permissions settings in order to see whether the app has permissions it shouldn't. There doesn't seem to be any cure for an infection of this nature yet – so be extra careful what apps you're downloading.
Not the first of its kind
This isn't the first time an illegitimate application has taken users for a ride and potentially stolen data. Trend Micro researchers reported earlier this year about a fake Russian banking app called Fanta SDK that was capable of changing users' phone passwords when they tried to remove or deactivate the app's admin privileges. The application is available on third-party stores, and people have been downloading it across Russia.
The victims of this malicious application are customers of Sberbank of Russia, according to Sensors Tech Forum. Some users' bank accounts have been compromised. Once a user notices that the app contains malware and tries to remove the admin privileges, the app changes passwords and empties bank accounts, particularly if the user has multiple accounts with Sberbank.
Another example that draws a closer parallel with the recent Pokemon Go phenomenon would be the slew of imposter accounts that cropped up when the mobile game Flappy Bird grew popular back in 2014. The original game was downloaded over 50 million times, which is most likely why cyber criminals decided to target unsuspecting users with these fake apps. Trend Micro researchers found that the icons associated with these fake apps looked exactly like the original's. The malicious apps were wreaking havoc with users' bank accounts by sending hidden messages to premium numbers and causing unwanted charges to their phone bills. So while mobile customers were happily playing their game, the app was sneakily sending messages and wracking up premium fees on their accounts.
The lesson learned here and with the malicious Pokemon Go incarnation should be simple: Don't download third-party apps unless you're absolutely sure of the developers' legitimacy.
It's not just cyber crime
The dangers associated with Pokemon Go aren't limited to the virtual world. There are physical safety risks surrounding the game, as well. The app itself reminds players upon loading to mind their surroundings, but there are inevitably already some unfortunate stories breaking about people doing the exact opposite.
Trend Micro global threat communications manager Christopher Budd wrote recently that Pokemon Go has been considered the reason behind several armed robberies as the result of criminals using the app to lure players to unspecified locations. All these malicious persons have to do is place a "lure" on a Pokestop – effectively making that location a hotbed of Pokemon activity – and then wait for unsuspecting trainers to arrive.
The media is, understandably, honing in on these physical dangers. Vox contributor Aja Romano reported that the perpetrators of a particular string of robberies were four teenagers driving a BMW. They used the lure tactic to stage up to 11 robberies in the St. Louis area. In addition, people aren't watching where they're going – instead opting to stare at their phones in hopes of snagging a rare pocket monster – and are falling, walking into traffic and doing other unsafe activities.
"Meanwhile, anecdotal reports of people playing Pokémon Go while driving – yes, actually driving actual cars – keep cropping up," Romano wrote. "So far, at least one police department, this time in Alabama, has issued an advisory due to a player totaling his car while playing the game. And it seems he's not alone."
Romano proceeded to embed tweets of Pokemon Go players announcing the fact that they were driving while playing the game – something unthinkable, and yet it's happening across the country.
So what should you take away from the potential risks of the global phenomenon of Pokemon Go? A couple things come to mind:
- Don't download apps from third-party sites.
- Don't drive while playing and always pay attention to your surroundings.
When fake mobile apps crop up in response to popular mobile games or banking applications, you need to know your data is protected. Consumers should follow best practices when it comes to keeping their data – and personal well-being – safe.