Malicious versions of Pokémon GO found, company apologises for privacy issues

Security researchers find malicious versions of Pokemon GO app, while the firm behind new gaming frenzy Pokémon GO, Niantic, apologises for privacy mishaps.

Pokemon GO, currently dragging teenagers out from their rooms all around the country.
Pokemon GO, currently dragging teenagers out from their rooms all around the country.

Striking us all with a bout of nostalgia and love for the infamous noughties hit TV series, Pokémon GO has landed on mobile phones, dragging millions of computer game players out of their bedrooms and into the fresh air.

However, as is to be expected with a rollout of this size, it has not been without a few hitches.

The gamemaker Niantic has had to pull the app from both major app stores due to overwhelming demand, meaning the Pokémon GO app came and left the UK with a bang this week.

Meanwhile, researchers at ProofPoint have found malicious versions of the Android app, as malware writers sought to take advantage of the frustration of would-be players.

If you're lost – Pokémon GO is a mobile game which leverages Niantic's Real World Gaming Platform to help players find and catch Pokémon as they explore real world locations. Pokémon get superimposed onto scenes which the devices camera picks up, allowing players to catch them in ‘real life'.  

Released on 6 July, the firm said it was worried for the user experience of those already on the app, and pulled the game from the UK Apple App Store and Google Play store.

Android users were then found to be ‘side-loading' the app onto their mobile devices, but were unfortunately taking the app from nefarious sources.

A number of online forums published tutorials demonstrating how Android users could download an APK for the game from a non-Google URL. Doing so involved modifying Android's security settings so that users could install APKs from “untrusted sources”.

As a result, ProofPoint discovered a version of the app which was found to be loaded with the DroidJack Remote Administration Tool (RAT).

Kevin Epstein, vice president of the threat operations centre at Proofpoint, told SCMagazineUK.com, “DroidJack gives attackers complete access to mobile devices including user text messaging, GPS data, phone calls, camera – and any business network resources they access. This makes both the practice of side-loading applications (downloading apps from unofficial app stores) and the presence of apps like the malicious version of Pokémon GO especially concerning. Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never recommended.”

Epstein added: “Even though this malicious app has not been observed in the wild, it represents an important proof of concept, namely, that cyber-criminals can take advantage of the popularity of applications like Pokémon GO to trick users into installing malware on their devices.”

Offering advice to companies on the risks of employees bringing such a device into their networks, Javvad Malik, security advocate at AlienVault, told SC, “Jailbreaking devices or installing apps from unofficial or untrusted sources is a recipe for letting the fox into the henhouse. Enterprises should ensure that mobile devices that access corporate systems are prevented from being jailbroken and cannot download unauthorised apps. Doing so can put the device, its data and users' privacy at risk.”

Aaron Lint, vice president of research at Arxan Technologies, commented on the risks this presents to the enterprise: "With so many adult users, there is bound to be a large contingent who are playing with devices that are also connected to secure enterprise networks. This means any malware downloaded through attempting to play Pokémon Go or other games will be able to spread to their organisation as well.

The app has also brought to light privacy concerns, as it requires full access to Google accounts which means the company can access emails, delete photos and modify calendar events. Niantic quickly offered to remediate this, saying it wasn't intentional.

Ed Macnair, CEO of CensorNet, told SC, “Aside from the personal privacy issues, who's to say an employee won't use their work Gmail account to sign-up to Pokémon Go? Employees are often quick to download the latest app to access or share data and it's unlikely they'll be scrutinising what they are granting the app access to. In the event of a hack targeting the creators, criminals will potentially be given access to a treasure trove of data – followed by the inevitable brute force attempts thanks to the cache of usernames and passwords they'll be in possession of.”

Macnair warned, “Businesses need to stay vigilant to the applications and websites their employees are using and have the tools in place to give them absolute certainty someone is who they say they are, as well as the ability to block access if there's any risk. The implications of failing to do so could be devastating.”

In a further twist of events, the official Twitter account for the Pokémon GO app had tweeted that now they had bolstered their server capacity, the app was now available in Germany again. The company said: