A Malicious ‘Pokémon GO’ App Is Installing Backdoors on Android Devices

Share this…

Nintendo’s new location-based augmented reality game ‘Pokémon GO’ is hot right now. Like really, really popular—so much so that players are spoofing their phone’s location using VPNs in their quest to catch ’em all.

But wannabe Pokémon masters should take heed: amid high demand for the game as it slowly rolls out across the globe, security researchers have discovered a malicious version of the Pokémon GO app floating around that installs a backdoor on Android phones, allowing hackers to exploit Poké-hype to completely compromise a user’s device.

The security firm Proofpoint discovered the malicious application, or APK, which was infected with DroidJack, a remote access tool (RAT) that compromises Android devices by silently opening a backdoor for hackers. The malicious app was uploaded to an online malware detection repository on July 7, less than 72 hours after Nintendo released the game in Australia and New Zealand.

To install it, a user needs to “side-load” the malicious app by disabling an Android security setting that normally prevents the installation of unverified third-party apps from “unknown sources.”

This is potentially a huge deal, since the game’s slow roll-out to different regions has led some impatient players to download the app from third-party websites instead of waiting for the official release on Android’s Play store, which requires side-loading to install. Proofpoint notes that several major news outlets have even provided instructions on how to find and install the app from a third-party.

“Unfortunately, this is an extremely risky practice and can easily lead users to installing malicious apps on their own mobile devices,” Proofpoint wrote in a blog reporting the malicious Pokemon app. “Should an individual download an APK from a third party that has been infected with a backdoor, such as the one we discovered, their device would then be compromised.”

Luckily, there are several ways to check if you’ve downloaded the malicious app. The infected version is granted more system permissions, so one method is to compare the permissions of your app to those of the legitimate one. A more thorough option is to compare the app’s SHA-1 hash, a long string of characters used to verify whether a file was modified by a malicious third-party, to make sure it matches the hash of the legitimate version.

“Bottom line, just because you can get the latest software on your device does not mean that you should,” the security researchers write. “Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.”