Here comes the Pokémon Go malware

Well, that didn’t take long. Pokémon Go, the massively popular new game that’s bigger than Tinder, and poised to top Twitter in terms of daily users, has now been targeted by malware creators. Security researchers at Proofpoint spotted a malicious Pokémon Go app in the wild that’s infected with a remote access tool called “DroidJack,” which would give attackers full control over a victim’s phone.

There’s no need to panic just yet, however.

The researchers said they hadn’t actually found any reports of the malware having infected users – they only discovered that the malware exists, and that it had been uploaded to an online file storage service in the form of an APK file.

The malware had not made it to the official Google Play Store, either. That means there’s no risk that someone may have unintentionally downloaded the app from app store, thinking it was the real deal.

Instead, the malware authors were clearly trying to capitalize on the pent-up demand from international users for the hot game, which hasn’t yet made its way to all markets.

The game is currently live in the U.S., following a rollout in Australia and New Zealand, but its further international release has been delayed due to scaling issues. There’s so much pressure on the servers, the game has been crashing – causing game maker Niantic Labs, a Google/Alphabet spinoff company, to pause its expansion plans for the time being while they deal with server capacity issues.

That has led some users to seek out “unofficial” versions of the Pokémon Go application online, where it has been uploaded for distribution on various sites as an APK file – the file format used by Android applications. Unlike iOS, Android allows users to toggle off a setting that prevents installation of apps from outside the official app store.

pokemon-fig4This, however, can be a dangerous practice.

In the case of the infected APK version of Pokémon Go that the security researchers discovered, there’s no way for players to tell if they had installed malware without digging into the app’s permissions and then comparing them to the official app’s permissions. (A second method involves comparing the SHA256 hash of the APK to the official version, but we wouldn’t call this a consumer-friendly method. More information on that is here.)

In fact, the compromised application has the same startup screen as the legitimate version, the researchers pointed out. (See image at right).

This particular malware was caught early on, however.

Though the app does include a remote access tool that would allow attackers to take control of the victim’s phone, the server that would listen for connections from infected devices then give them commands (or the “C&C server” – aka the “command and control” server), which was based in Turkey, was not accepting connections from infected devices, the researchers found.

That being said, the fact that malware authors are already toying around with fake Pokémon Go apps should be a word of warning to anyone thinking of seeking out the game through unofficial means. This is not likely to be the last time we see Pokémon Go malware, if the game remains as popular as it is today.

To protect yourself from possible infections, your best bet is to only download the game from the official app store, and not a third-party site.

In addition, be cautious of the various Pokémon guides and hack apps that are live on Google Play and elsewhere, as well. They may not all be safe, either.

While Google does scan for malware across its app store, its record is spotty when it comes to proactively preventing malware from going live. Be aware of any app’s request for permissions, as a start. While it’s one thing for the official app to ask for extensive data-capture permissions, a simple guide app should not need the same. And if you’re not comfortable, don’t install.