The location-based, augmented reality mobile game Pokémon Go is taking the world by storm. Released to much fanfare on July 6th, the app has already overtaken the Facebook app in terms of usage on Android devices, and has been reported by Apple to be the most downloaded app ever during its first week of release. Unsurprisingly, scammers and cybercriminals are quick to cash in on its massive popularity, creating malicious versions of the game and related help apps that lock screens and deliver scareware and adware, even a remote access trojan.
We came across another how-to app in Google Play, touting its ability to help players easily earn Pokécoins, the app’s in-game currency (earned via gameplay or purchased with real-world money). It is in fact a scam.
Figure 1. UI of the app in Google Play (left); after installation and launch, two windows pop up on the screen—one named ‘Hack Root’ (center) and the other ‘Download Pokémon Go.’
The scammers also take advantage of Pokémon Go’s unavailability in some regions. If the game is not available in the user’s country, they are prompted to download an Android application package (APK) from the URL, hxxp://catafiles[.]com/547457.
Figure 2. Scammers redirect users to a site that purportedly contains an APK for Pokémon Go; to be able to download it, the user must first download a promotional app.
Upon installation and launch, the fake app will require the user to input their Pokémon Go username, device type and geographical region. Clicking ‘Connect’ redirects the user to another window from which the user can supposedly select features to use for their game, such as setting the amount of Pokécoins and Pokéballs, enabling AES-256 encryption and specifying a proxy server to bypass the app’s geographical restrictions.
The app will then prod the user to pass human verification before it can add Pokémon Go’s in-app items. It actually just redirects the user to another site that will prompt the user to download another app (shown below).
Our analysis showed that the app is among those that deceive users into downloading and installing other apps in order to promote them.
Figure 5. The fake app accesses the site, hxxp://pokemon-go[.]webie[.]biz/en[.]html, to display all of its prompts (left). The ‘Online Users’ shown at the app’s homepage is randomly generated (right).
We also found a similarly-coded app from the same developer, this time targeting players of the ‘Summoners War’ game. The app had over 5,000 downloads before it was removed from Google Play.
Cashing in on Pokémon Go
We also analyzed 149 Pokémon Go-related apps, which were available on Google Play from July 8th to July 21st; these apps have had a combined download of over 3.9 million. We categorized them into:
- Guides, Walkthroughs or How-Tos
- Fake GPS / Locations (used for gameplay)
- Social Network-related (used as platform for players to communicate with each other)
- Others, such as wallpaper apps and downloader tools
Figure 7. Categories of the Pokémon Go-related apps we analyzed.
Additionally, there has been an upward trend of newly published or updated Pokémon-related apps in Google Play from July 8th to July 20th. On July 21st, 57 of these apps were removed from Google Play. Further analysis of the apps revealed that only 11% of them are legitimate / non-malicious. The fake apps do not have any functionality and merely use Pokémon Go as bait to lure users into downloading it in order to promote other apps.
This self-promoting app has already been taken down from Google Play; we have also disclosed these findings to Google.
Figure 8. Based on our analysis of the samples, we’ve discovered that 87% of these Pokémon Go-related apps were adware and only 11% were legitimate / non-malicious.
Aside from keeping the device’s OS up to date, users should exercise caution when installing apps from unknown developers and third party app stores, or those that promise users with unrealistic offers—which in this case are premium game content (e.g. Pokécoins). Checking an app’s user reviews can also help in picking out scams from legitimate apps, such as those with especially disproportionate user ratings.
Users can also benefit from mobile security solutions such as Trend Micro Mobile Security Personal Edition and Mobile Security Solutions, which provide additional layers of security by detecting and blocking the installation of malicious as well as potentially unwanted and fake applications.
The SHA1s and package names related to our analysis are in this appendix.
With additional insights from Federico Maggi and Kenny Ye.