Pokémon Go, Nintendo’s new augmented reality game is all the talk right now. If you see people staring at their phones and running around in a frantic hurry, they probably have the Pokémon Go app opened. You see them trying to catch one of the nimble creatures that many of us grew up loving and wanting. Go, which is brought to us by Niantic (the same company that was responsible for a previous augmented reality hit “Ingress”), has as a result, prompted many fans around the world to throw caution to the winds and install the app via third-party websites as it is still not available worldwide. Unfortunately, this has prompted nefarious denizens of the net to inject a stream of malicious Pokémon Go apps online.
Security firm Proofpoint discovered the malicious application in the form of an APK which is infected with Droidjack. Droidjack is a Remote Access Tool (RAT) that silently opens a backdoor in devices for hackers to utilise. This particular piece of malicious software was uploaded to an online malware detection repository less than 72 hours after Nintendo officially released the game in Australia and New Zealand. By default, Android devices will not install apps from sources outside of the official Play Store, however this option can be easily disabled, something most users have done to install the APK, thus letting the application to infect the device. Proofpoint has also pointed out that many news outlets have even given instructions on how to do this in the case of Pokémon Go.
To find out whether or not your version of Pokémon go is malicious, Proofpoint has stated the following:
“Individuals worried about whether or not they downloaded a malicious APK have a few options to help them determine if they are now infected. First, they may check the SHA256 hash of the downloaded APK. The legitimate application that has been often linked to by media outlets has a hash of 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67, although it is possible that there are updated versions already released. The malicious APK that we analyzed has a SHA256 hash of 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4.
Another simple method to check if a device is infected would be to check the installed application’s permissions, which can typically be accessed by first going to Settings -> Apps -> Pokemon GO and then scrolling down to the PERMISSIONS section. Figure 1 shows a list of permissions granted to the legitimate application. These permissions are subject to change depending on the device’s configuration; for example the permissions “Google Play billing service” and “receive data from Internet” are not shown in the image but were granted on another device when downloading Pokemon GO from the Google Play Store. In Figures 2 and 3, the outlined permissions have been added by DroidJack. Seeing those permissions granted to the Pokemon GO app could indicate that the device is infected, although these permissions are also subject to change in the future.”
While the Pokémon Go hype has infected many with a desire to throw caution to the winds in an effort to capture a Bulbasaur, this revelation may prompt some users to wait till the app is available through official channels in their region.
Source: Proofpoint
