The Pokemon GO craze has blown up since it was released on July 6th, with the number of daily users topping Tinder, Snapchat, Instagram and Facebook. Video after video depicts people you never thought would be into Pokemon roaming around public parks and stores with their phone in their hand, on the hunt for Jigglypuffs and Pikachus.
And the hackers are loving it. Fads always attract the nefarious crowd trying to make a quick buck or a name for themselves off the latest trend, and Pokemon GO is ripe for black hats. Because the game is currently only available in the US, UK, Australia, Germany, Canada and New Zealand, those wanting to play the game living outside those areas have had to resort to downloading unofficial apps in order to play Pokemon GO.
Unfortunately, some of the apps downloaded from unofficial sites contain a malicious program within the Pokemon GO APK (Android Application Package) that, when downloaded, will give the attacker full access over the victim’s device using a Remote Access Tool, or RAT, called DroidJack. Pokemon GO apps containing the RAT were discovered less than 72 hours after the official application was released.
DroidJack’s been around since 2014, but this is the first time we’re seeing it used in a major malware campaign. Up to now, it’s been mostly used by jealous spouses and spies. While there are still no reports of malicious activity by the downloaders of the DroidJack infested Pokemon GO app, the first victim will no doubt speak up soon.
Sideloading, AKA Security Side-Stepping
The malicious apps are only available by sideloading, and because the apps use the Pokemon GO APK, they can only be downloaded on Android devices. For the unfamiliar, sideloading in general refers to the transfer of data between two devices – like sending photos to yourself or friends, for example. On Android devices, though, sideloading is when a user installs apps or APKs from outside official Android app stores.
iOS device owners can also sideload apps using Apple’s Enterprise Certificate, but this process includes a more secure way of making sure the user ‘trusts’ the developer by requiring him or her to accept the developer’s certificate. That additional layer of security is enough to keep most iOS devices free of similar sideloading issues.
Sideloading APKs on Android phones is super easy to do nowadays, and offers benefits like being able to download apps from places besides official Android app stores – but comes with its own risks, as this latest Pokemon GO fiasco clearly indicates. While the malware has yet to infect anyone, it’s another indication of the lack of security awareness by mobile users and mobile application developers.
A Brief History of Mobile Malware Infographic
But even living in the areas where Pokemon GO is downloadable aren’t free from malicious activity. This time, Security researchers at ESET discovered a lockscreen malicious app that made it all the way to the Google Play store. Once a user tried to open the app after downloading it, their screen would lock up, causing many victims to reboot. The adware is then perfectly hidden in the background, clicking on porn ads to make money.
Pokemon GO is by no means the first time hackers have hijacked the popularity of one game to trick naive users into downloading a similar, yet malicious, app. It’s a tactic as old as time…or at least computers. Between malicious Angry Bird clones to fake banking apps to malicious components of legitimate applications, hackers have got the mobile malware field covered. For a look back in mobile malware time, check out the infographic below!
Viewing on mobile? Click the infographic to enlarge.
Malicious apps aren’t the only way your mobile phone can be compromised – perfectly legitimate apps have an average of 9 vulnerabilities – over 3 of which are high or critical vulnerabilities. Read our research on The State of Mobile Application here!