Android Gaming iPhone and iPad Security

Did You Treat Yourself To Pokémon Go Malware?

Gavin Phillips 15-07-2016

The world around me has exploded into a frenzy of augmented reality Pokémon trainers, with millions of individuals attempting to “catch them all” throughout their local environment. The long awaited addition to the Pokémon series has taken budding trainers from their settees out into the streets, tugging heavily on the nostalgic heartstrings of adults who thought their Pokémon catching addiction long dead 6 Fun Pokémon Challenges to Prove Your Mastery Do you love Pokémon but feel bored with the series? These Pokémon challenges will breathe new life into your favorite games. Read More .


Niantic, developers of Pokémon Go and its portal capturing-come-alien battling precursor, Ingress Google's AR Game Ingress Now Open To All & Will Drop Beta Tag Soon Google launched Ingress, its augmented reality video game, exclusively on Android a year ago, and players needed an invitation code to get the app. It's now available to all. Read More , are reveling in the currently unparalleled success their augmented reality game is experiencing.  Ingress, though relatively popular, never achieved the globalized success of Pokémon Go. It is almost like brand recognition is really useful!

The success isn’t without tribulation, though. Niantic appear to have neglected to learn lessons from the rough early days of Ingress. Their sudden success appears to have come somewhat as a surprise and, despite their adding an estimated $9bn to Nintendo’s market capitalization, big questions remain.

Amid the questions of “how to lure a Charizard into your front room” and “why does my town only have Doduo’s?” are more serious issues, such as widespread reports of Android malware spread through repacked Malware on Android: The 5 Types You Really Need to Know About Malware can affect mobile as well as desktop devices. But don't be afraid: a bit of knowledge and the right precautions can protect you from threats like ransomware and sextortion scams. Read More Pokémon Go APKs, as well as reports of individuals being mugged for their extremely expensive smartphones after wandering too far from their regular stomping grounds.

Let’s take a look.

Malicious Pokémon Go APKs

Pokémon evoke some damn strong memories for me. I played Red and Blue obsessively for years, watched the myriad TV series, and had the coolest ever poster of the first 150 Pokémon displayed proudly on my wall. But this is different.


First 151 Pokemon

Many individuals with a similar Pokémon background, who had long forgone their more prominent gaming desires found the release of the augmented reality version Augmented Reality Games: Are They Worth The Money? Wouldn't it be easier to play a first person shooter if you were actually holding the gun? Or are such enhancements largely redundant in an age when mobile gaming can stand on its own. Read More too strong to resist. However, Niantic region-locked Pokémon Go, meaning those outside the USA, Australia, or New Zealand were meant to be unable to play until their official versions appeared in the device app stores.

Of course, that wasn’t likely to work — and it didn’t. While the applications didn’t appear in the Google Play Store or App Store in the UK, users quickly realized this could be easily worked around How to Download an APK from Google Play to Bypass Restrictions Need to get your hands on the installable APK file for an app from Google Play? We got you covered. Read More . Numerous Pokémon Go APKs (Android Application Packages) were uploaded to a huge range of APK repositories, so many so that Googling “APK” only returns links for Pokémon Go.

Chrome APK search


Unfortunately, hackers saw this as a golden opportunity to upload APKs containing some seriously malicious code, targeting those users who just couldn’t wait for the official release date for their region.

Once downloaded onto the device of an unsuspecting user, the malicious code immediately executes as the APK is unpacked, and you’ve caught something of an entirely different prospect.

You Caught A RAT!

And not a Ratata. No, this is a Remote Access Tool, by the name of Droidjack, discovered by security researchers at Proofpoint. Also known as SandroRAT, this Android malware has been previously detailed How Android Porn Malware Steals Your Data Malicious porn clicker Trojans are masquerading as duplicate apps, waiting to infect your Android device. How prevalent are they? What happens if you download one, and most importantly, how can you avoid them? Read More by Symantec and Kaspersky, and gives an attacker remote access to the entire Android device the malicious APK is installed on. Proofpoint have offered two methods of checking whether your Android device has been infected:

  1. Check the SHA256 hash of the downloaded APK. The legitimate Pokémon Go APK hash should read 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67. The hash of the malicious APK discovered by Proofpoint reads 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4.
  2. On your Android device, head to Settings > Apps > Pokémon Go, followed by scrolling down to Permissions. The below images detail the permissions required by the legitimate Pokémon Go APK, and the additional permissions granted to the malicious APK.

These are the legitimate Pokémon Go permissions:


Pokemon legitimate app permission settings

And this is the first page of the malicious Pokémon Go permissions:

Pokemon Go malicious app settings 1

And the second:


Pokemon Go malicious app settings 2

If you have been infected, immediately remove the application, and delete the malicious APK. Head to the Google Play Store and download Avast Mobile Security, and scan your device. Then, head back to the Play Store and download Malwarebytes Anti-Malware, again scanning your device.

Remove any malicious material discovered by either scan.

If you’re diligent with your Android device backups, you may have a whole system image to restore How to Remove a Virus From Your Android Phone Without a Factory Reset Need to remove a virus from your Android phone? We show you how to clean your phone from a virus without a factory reset. Read More . If this is the case, it is another excellent option to obliterate the malware.

Checking Your SHA256 Hash

There is an easy option available to Windows users, which doesn’t require a download or any installation.

Open an elevated Command Prompt. Use the following command 15 Windows Command Prompt (CMD) Commands You Must Know The command prompt is still a powerful Windows tool. Here are the most useful CMD commands every Windows user needs to know. Read More to generate a hash:

certUtil -hashfile insertfilepathhere [hash algorithm]

Your hash algorithm choices are MD2, MD4, MD5, SHA1, SHA256, SHA384, or SHA512. In this case, use the SHA256 option.

Once generated, check the APK hash against the hash supplied by Proofpoint.

Other Issues: iOS Permissions

These are mixed in variety, but all worrying. Perhaps the biggest issue relates to Pokémon Go application permissions, which have been found to be worryingly (but wrongly, please read the next section before panicing!) intrusive on iOS devices. While most apps require some level of permissions What Are Android Permissions and Why Should You Care? Do you ever install Android apps without a second thought? Here's all you need to know on Android app permissions, how they've changed, and how it affects you. Read More to be granted to ensure they function, Pokémon Go seems to have significantly overshot the privacy boundaries by requesting (and gaining!) access to entire Google accounts. This means instead of the usual simple request for a name, email address, and in some cases, locations, Pokémon Go and Niantic could access Google Drives, private Gmail accounts, phone contents, and more, as well as send emails as the affected user.

Niantic issued a statement to Gizmodo, declaring:

“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.

Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic.

Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”

This feels like one of those double-edged reassuring-but-how-did-this-happen moments, but at least it will be fixed post-haste. Now read the next little section, and feel happier.

Google Tech Support Says…

Dan Guido, CEO at Trail of Bits, has cast aspersions on this claim. Despite Niantic releasing their press statement declaring their investigation and apparent client-side fix, Guido believes “a giant section of the blog post might be wrong.”

A product engineer at Slack tested the OAuth token provided by the service, and found it did not provide any additional data or access to private services connected to a user’s Google account.

Other Issues: Law Enforcement

Law enforcement officers have been called to a number of incidents, all purporting to pertain directly to Pokémon Go. Most incidents report a Pokémon trainer wandering to a secluded location to capture a Pokémon, only to be ambushed by thieves who make off with the smartphone.

Some reports suggest the thieves are actually using the Pokémon Go application itself to locate Pokémon as they appear on the local map, heading to that location, and lying in ambush. Others state individuals that have wandered into areas they would normally steer clear of in the hope of catching particularly rare Pokémon, or just monsters they do not normally encounter.

These extremely unpleasant experiences were rare during my time playing Ingress, though the odd story would crop up every now and then. However, it was usually inter-factional spooking rather than outsiders mugging players, or even outsiders using the application to track and monitor where individuals would be standing with their shiny, shiny smartphones. That said, a guy did wait for me next to my car one night after I destroyed his home portals, but that’s another story.

Advice: Please, be sensible. They’re fictional Pokémon you can live without. You cannot live without your life, and I hear being violently mugged can significantly shorten your life expectancy. Joking aside, don’t wander down roads using the Pokémon Go scanner without taking in your real-world surroundings, and don’t go hunting anywhere you wouldn’t normally consider. Pokémon cannot protect you in the real world.

Nice Law Enforcement

On the flipside, there have been some amusing reports of police officers stopping players wandering around, then joining them in the hunt when they realize what is going on. Remember, augmented reality gaming is still incredibly new to many Augmented vs. Virtual Reality: What's the Difference? Augmented reality. Virtual reality. Mixed reality. What are all these "realities" and how are they going to impact you over the next few years? Here's everything you need to know. Read More , our law enforcement officers included. If you’re skulking around a graveyard normally frequented by heroin dealers, expect to get questioned. Just be courteous, and explain what you’re doing.

Police Playing Pokemon Go

Droidjack Uses Sideload…It’s Super Effective!

By opening your Android device up to unsigned and unverified APKs, you’re potentially inviting malware to your door. I’m not going to insult those users who happily download and use APKs outside of the Google Play Store by saying “Don’t do it, you’re guaranteed to get malware all the time,” because that isn’t true.

However, I do agree with Proofpoint that “this is an extremely risky practice and can easily lead users to install malicious apps on their own mobile devices Is It Safe to Install Android Apps from Unknown Sources? The Google Play Store isn't your only source of apps, but is it safe to search elsewhere? Read More … should an individual download an APK from a third party that has been infected with a backdoor, such as the one we discovered, their device would then be compromised.”

But the onus is very much on the user to commit their due diligence before downloading and installing software from an untrusted source 4 Reasons You Don't Need to Be a Pirate Anymore While some people are always going to pirate, for most, there is now less reason than ever to do so. Read More . Just as installing software distributed via warez was once considered a sure-fire way to encounter a virus The 7 Worst Places for Downloading Windows Software Software can be packed with bloatware and worse, malware. You can catch malware, if you download your tools from the wrong source. These are the sites you should avoid... Read More in days gone by, it really came down to your distributor. The same can be said for APK distribution sites.

Similarly, those sites actively encouraging users to download and install APKs from unknown sources should absolutely know better.

Avoid Team Rocket

Team Rockets’ Jesse and James (and Meowth!) are not actually featured in the game, but please, take care to avoid any nasty situations you might find yourself in. Simply put: it isn’t worth the hassle.

You’ll get your turn to be the very best.

Did you turn to an unofficial source for Pokémon Go? Did you encounter any trouble? Regale us with your stories below!

Related topics: Online Privacy, Pokemon GO, Smartphone Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *