Despite a significant drop off in active users, the popularity of Pokémon Go is continuing to attract scammers looking to exploit users in search of a leg up, and recently researchers have spotted scams spreading into social media and fake apps.
Of the 543 social media accounts Proofpoint researchers spotted that were related to Pokémon Go across Facebook, Twitter, and Tumblr platforms, 167 were fraudulent, according to a 7 Sept blog post.
Researchers found that 44 of the accounts contained links to download files, many of which purporting to be game guides, 79 were imposter accounts, and 21 of the accounts promised “free giveaways.”
The accounts offering downloads affected both mobile and desktop platforms and delivered adware, malware or software different that what was advertised. Some of the accounts also redirected users to install Android APKs which happened to be malware, the post said.
Many of the accounts distributing these third party applications are readily available via search on social networks and while some of the accounts may use social engineering to entice players to download malicious content, more often they just pretend to be legitimate, Proofpoint vice president of mobile security Dave Jevans told SCMagazine.com via email comments.
“This isn't so much a matter of gullibility as ignorance of the potential threat and eagerness to get ahead in the game,” Jevans said. “Few of these accounts have big red flags aside from language issues, but the target demographic for Pokémon Go isn't sensitised to social media and mobile app threats.”
Jevans said fraudulent accounts and app store downloads were detected in many regions.
In addition to the fraudulent social media accounts, Malwarebytes researchers spotted a new mobile trojan which uses the game's icon as bait to lure users into downloading the malicious app.
The trojan uses the same package name and icon as the creature-catching game, making it more difficult for users to differentiate the fake application from the real one, according to a 5 Sept. Malwarebytes post.
The malicious app requests admin rights once installed, if permission is granted the app will immediately redirect users to random destinations such as phony dating sites designed to entice users to divulge personal information. Other destinations included sweepstakes claiming the victim has won prizes, survey, and other phishing pages.
Despite the frequency of Pokémon Go related malware and phony content designed to exploit users, a Niantic spokesperson told SCMagazine.com it is fairly easy to avoid becoming infected.
“Do not install any apps related to Pokémon GO that come from any organisations other than Niantic or The Pokémon Company,” the spokesperson said via emailed comments.
Pokémon Go isn't the first mobile application to provide a hacker entry point and almost any type of malware can be disguised as an add-on to Pokémon Go, or even as Pokémon Go itself, DriveSavers Director of Engineering Mike Cobb told SCMagazine.com via emailed comments.
“Earlier this year, a security firm found that between 75 and 80 percent of the top free apps on Android or iPhones were breached,” Cobb said. “This number increases to 97 percent among the top paid apps, like Pokémon Go.”
Cobb said users should always make sure they are downloading the correct app and should always pay attention to the permissions that applications request when downloading to ensure the application isn't requesting more than it actually needs.