Earlier this month, the first Pokémon Go malware was spotted in the wild, but the app was not much of a threat to users as it never made it into the official Google Play store for download. The same cannot be said of a new group of dangerous applications targeting Pokémon Go users by promising cheats, tips, and other functionality. Despite their innocuous-sounding titles, the apps actually contained malicious code that either tricked users into paying for expensive bogus services or took over victims’ phones to click porn ads, among other things.
The apps were first discovered by security researchers at ESET Mobile Security, and included a lockscreen app called “Pokémon Go Ultimate” as well as “scareware” applications “Guide & Cheats for Pokémon GO” and “Install Pokémongo.”
The apps were live on Google Play at the time the firm spotted them, but were removed by Google after ESET flagged them.
According to the researchers, the app “Pokémon GO Ultimate” resembled the game itself, but would deliberately lock the screen after startup. Rebooting would not solve the problem, and instead, affected users would have to restart their devices by pulling out their battery or by using Android Device Manager. After a reboot, however, the app would continue to run in the background, clicking on porn advertisements. Users would have to uninstall the application manually from Android’s Settings.
While the app was malicious, the way it operated – locking users out of their devices – could have allowed its creators to do even more damage if they chose. Had they added a ransom message to their app, for example, they could have had the first-ever lockscreen ransomware on Google Play, the firm noted.
The other two applications didn’t take over victims’ phones, but were rather in the “scareware” family. That is, the apps lured users into subscribing for unnecessary services.
In this case, the apps would promise users they could generate large numbers of in-game items like Pokécoins, Pokéballs or Lucky Eggs for Pokémon Go – up to 999,999 daily. However, before delivering on those promises, the apps would require users “verify” their accounts. At this point, fraudulent pop-ups would appear saying things like the device was infected with viruses and needed to be cleaned.
This would sign up the victim to expensive SMS subscription services, or perform other bad functions, based on the user’s country. The apps could also be used to download other apps, display scam ads, or create surveys. And with each press of the “Back” button new pop-ups or ads would appear. (To get rid of them, users had to press “Back” twice.)[gallery ids="1354438,1354437,1354436,1354434,1354433,1354432"]
Fortunately, none of these apps were live for long on Google Play before their removal. That means they didn’t have time to attract a large number of victims. “Pokémon Go Ultimate” reached 500 – 1,000 users, “Guide & Cheats for Pokémon Go” reached 100 – 500, while “Install Pokemongo” attracted 10,000 – 50,000 victims, the firm said.
That being said, it is concerning that these apps even made it to Google Play in the first place, given their functionality.
Google’s oversight of its Play Store is still not on par with Apple’s more strict procedures, despite Google’s claims last spring that it had also implemented human-led app reviews in conjunction with its more automated systems. The company has a spotty record when it comes to proactively preventing malicious applications, adware and scareware from going live on its app store, even if it reacts quickly to pull down those apps that get flagged. The company, however, claims that its systems protect Android users from malware by checking over 6 billion installed apps per day.
And with the Pokémon Go craze showing no immediate signs of slowing down, you can expect there to be many more malicious apps to pop up in the future.
As it seems you can’t trust the Google Play store to be entirely safe, it’s best to use caution before installing a third-party Pokémon Go application for the time being – especially if it’s making promises that seem too good to be true.
Image credits: ESET