Pokemon malicious mobile

Malicious Mobile Apps and Pokemon GO Hacks: A Brief History + Infographic

Jul 18, 2016 By Sarah Vonnegut

The Pokemon GO craze has blown up since it was released on July 6th, with the number of daily users topping Tinder, Snapchat, Instagram and Facebook. Video after video depicts people you never thought would be into Pokemon roaming around public parks and stores with their phone in their hand, on the hunt for Jigglypuffs and Pikachus.

 

And the hackers are loving it. Fads always attract the nefarious crowd trying to make a quick buck or a name for themselves off the latest trend, and Pokemon GO is ripe for black hats. Because the game is currently only available in the US, UK, Australia, Germany, Canada and New Zealand, those wanting to play the game living outside those areas have had to resort to downloading unofficial apps in order to play Pokemon GO.

 

Unfortunately, some of the apps downloaded from unofficial sites contain a malicious program within the Pokemon GO APK (Android Application Package) that, when downloaded, will give the attacker full access over the victim’s device using a Remote Access Tool, or RAT, called DroidJack. Pokemon GO apps containing the RAT were discovered less than 72 hours after the official application was released.

 

DroidJack’s been around since 2014, but this is the first time we’re seeing it used in a major malware campaign. Up to now, it’s been mostly used by jealous spouses and spies. While there are still no reports of malicious activity by the downloaders of the DroidJack infested Pokemon GO app, the first victim will no doubt speak up soon.

Sideloading, AKA Security Side-Stepping

 

The malicious apps are only available by sideloading, and because the apps use the Pokemon GO APK, they can only be downloaded on Android devices. For the unfamiliar, sideloading in general refers to the transfer of data between two devices – like sending photos to yourself or friends, for example. On Android devices, though, sideloading is when a user installs apps or APKs from outside official Android app stores.

 

Related: Android Security Sucks! Here’s What To Do About It

 

iOS device owners can also sideload apps using Apple’s Enterprise Certificate, but this process includes a more secure way of making sure the user ‘trusts’ the developer by requiring him or her to accept the developer’s certificate. That additional layer of security is enough to keep most iOS devices free of similar sideloading issues.

 

Sideloading APKs on Android phones is super easy to do nowadays, and offers benefits like being able to download apps from places besides official Android app stores – but comes with its own risks, as this latest Pokemon GO fiasco clearly indicates. While the malware has yet to infect anyone, it’s another indication of the lack of security awareness by mobile users and mobile application developers.

 

A Brief History of Mobile Malware Infographic

 

But even living in the areas where Pokemon GO is downloadable aren’t free from malicious activity. This time, Security researchers at ESET discovered a lockscreen malicious app that made it all the way to the Google Play store. Once a user tried to open the app after downloading it, their screen would lock up, causing many victims to reboot. The adware is then perfectly hidden in the background, clicking on porn ads to make money. 

 

Pokemon GO is by no means the first time hackers have hijacked the popularity of one game to trick naive users into downloading a similar, yet malicious, app. It’s a tactic as old as time…or at least computers. Between malicious Angry Bird clones to fake banking apps to malicious components of legitimate applications, hackers have got the mobile malware field covered. For a look back in mobile malware time, check out the infographic below!

 

Viewing on mobile? Click the infographic to enlarge.

Pokemon go hack in mobile malware infographic

 

jumping 1

 

Malicious apps aren’t the only way your mobile phone can be compromised – perfectly legitimate apps have an average of 9 vulnerabilities – over 3 of which are high or critical vulnerabilities. Read our research on The State of Mobile Application here!

 

 

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.