Skip to content
Naked Security Naked Security

Fake Pokémon GO app watches you, tracks you, listens to your calls

Pokémon GO not available in your country yet? Trying to get it unofficially? Be careful out there...

Have you heard of Pokémon GO?

If you haven’t, you probably will soon: it’s an online game for mobile phones, and it’s taken the world by storm.

It works something like this.

You install the app, give it access to your location and your camera (amongst numerous other permissions), and set about finding Pokémon creatures in the game.

Unlike most “virtual world” games, however, the map used in Pokémon GO is the world around you, and the creatures you’re supposed to find are added to the map.

To collect them, you actually have to go to where the virtual creatures are supposed to be.

When the game figures your geolocation data is close enough to the target location, you turn on your phone’s camera, and, hey, look at that!

There’s the creature, grafted into the live image, in what’s called “augmented reality.”

Once you’ve caught the three starter Pokémons, you need to venture around your neighbourhood to find PokéStops.

PokéStops are supposed to be near important landmarks such as statues and monuments (our closest is at the local skateboard park), where you can get hold of the ammo, sorry, Poké Balls you need to catch more characters.

Once you’ve got the balls, you can wander afield looking for Pokémons to shoot, ahem, capture, ahhh, train.

Obviously, walking around an urban landscape while watching your mobile phone screen is both dangerous and anti-social, as the app warns you each time you start it up:

Runaway popularity

We’re not sure we understand why going to the skateboard park to stare at the world through your phone’s camera is more fun than going there to skate, or even just to stare at the world through your own eyes, but there’s no mistaking the runaway popularity of Pokémon GO.

Even the most perfunctory online search will bring up dozens of articles offering advice all the way from how to fix “GPS not found” errors to “when to evolve and when to power up.”

Apparently, the success of the app has also been a problem: overloaded servers, delays in signing up, and more.

For that reason, it’s currently only available in the Apple App Store and on Google Play in a handful of countries.

Nevertheless, as you can see in the screenshots above, we’ve managed not only to install the app on Android in the UK, but also to use it successfully, with the UK maps and game infrastructure working just fine.

Indeed, the game’s already wildly popular over here in the UK, which means…

…that most players will have headed off to alternative markets to grab the software unofficially:

We’re not naive enough to assume that Google Play is immune to malware.

Nor do we buy into Google’s efforts in 2015 to “define away” the problem of malware in the Play Store by renaming all malware as Potential Harmful Applications (ironically divided into categories such as spyware, call_fraud, ransomware and even generic_malware).

But Google’s warnings about untrusted apps are worth heeding anyway, because the Play Store is relatively safe, especially compared to many alternative app markets where anything goes, and anyone can upload anything.

Pokémon GO malware

In fact, the crooks have gone there already, with at least one hacked “malware remix” of the official Pokémon GO app doing the rounds.

The “remix” is deliberately poisoned with an Android spyware/RATware/zombie toolkit that hides malware code inside a fully-functional and otherwise identical-looking version of the original app.

Spyware is malware that snoops on your online activities, such as listening into phone calls, intercepting SMSes and logging all your web browsing. RATs are Remote Access Trojans, an acronym coined to reflect the sort of creep who uses them, typically for leering secretly through other people’s webcams. Zombies, also know as bots, are remote control tools that let crooks send commands to a whole raft of infected devices at the same time, for example to steal data, send messages in bulk, or DDoS other people’s servers with massive spikes in unwanted traffic.

Sophos products blocked this Pokémon GO-based malware proactively as Andr/SandRat-C, a name that is derived from SandroRAT, a remote control toolkit that was announced publicly back in 2014, and that morphed into a snoopware “product” known as DroidJack, or DJ for short.

The big question

The big question, if you’re one of the many global users who has gone off-market to get your Pokémon GO fix, is this: “Would you back yourself to spot the difference if you downloaded a dodgy version by mistake?”

DroidJack doesn’t create an app that looks and behaves similarly to a well-known app in order to act as as a cover.

It takes an existing app and simply repackages it into an app that effectively is the original, but with some added spyware-related code that runs in the background.

For example, here are the startup screens of the original and of the malware-infected version:

Those screenshots, and the program code that’s controlling them, don’t just look identical, they are identical.

Spot the difference

Of course, there are tell-tale signs, if you know what to look for.

The Andr/SandRat-C remix of Pokémon GO has a whole load of additional sneaky features that run in the background, so it needs security permissions that the legitimate app doesn’t require:

But permissions aren’t always a good giveway: legitimate apps routinely ask, like Pokémon GO does, for access to your camera (which includes access to the microphone), to location data, and to external storage.

A spyware Trojan that was slightly less ambitious than Andr/SandRat-C, and stuck to a smaller set of eavesdropping “features”, could put you at almost as much risk with few or no additional permissions.

In any case, how many permissions are too many?

The Google Play app that you get with closed-source versions Android 5.1, for example, grants itself more than 100 special app permssions, from READ_VOICEMAIL and READ_GMAIL, through CAPTURE_VIDEO_OUTPUT, to DOWNLOAD_WITHOUT_NOTIFICATION. (If those aren’t enough, it also grabs the right to OBSERVE_GRANT_REVOKE_PERMISSIONS, just in case.)

Inside the SandRat

Decompiling the Andr/SandRat-C app makes the malicious parts stand out, even if you don’t have a legitimate copy of Pokémon GO to compare it with:

The functionality of these added DroidJack parts are, indeed, what their names suggest.

However, as with additional permissions, malware doesn’t have to be so blatantly obvious, and even a well-informed user with the Android Development Tools installed might struggle to spot the malicious needle in the haystack of a booby-trapped app.

For example, more subtle spyware could add fewer functions, could give them more legitimate-looking names, and could patch its extra code into existing parts of the app so it wasn’t directly visible in the application package.

After all, even to an expert, some of the components of the legitimate Pokémon GO app look suspicious at first sight:

In a programming ecosystem where names such as spacemadness.com.lunarmodule and javax.inject are unexceptionable, even a thinly digsuised malware component might effectively end up hidden in plain sight.

What to do?

What to do?

  • Avoid apps with a poor or non-existent reputation. Don’t trust an app about which no one yet seems to know anything.
  • Stick to Google Play if you can. Despite this and other recent failures, it’s still safer than unregulated Android markets where anything goes.
  • Use an Android anti-virus. The Sophos Mobile Security product is free, and protects you automatically from malicious and low-reputation apps.
  • Manage your business phones centrally. Sophos Mobile Control, for example, allows you to take control of options such as whether to allow untrusted app sources on phones used for work.


7 Comments

Pokemon Go is a great example of how warnings about access are pretty much useless. The game itself is already known (admitted by developers) to ask for way more access than it needs (pretty much everything). And yet millions of people (including myself) download it and click through the access requests anyway.

Well, the game is based upon knowing where you are with considerable accuracy (to align you on the map), using the camera (to do the “augmented reality” trick, and being online throughout (to keep you and the fame servers in synch).

So that’s INTERNET, CAMERA and LOCATION just for starters :-)

Ironically, on my test phone, the GPS receiver wouldn’t work properly inside Sophos HQ. I ended up with a red bar at the top of the screen warning me about “GPS not found”…

…that blocked my access to the option button to let me logout from the server.

So I was stuck in the game but couldn’t actually use it.

Well don’t stick to google play, stick to a trustworthy Application Repository. (Google Play, F-Droid, Apps Store, Your OS repository, …)
Never install something which doesn’t come from that repository, it applies to every system you use. (maybe not Windows and OS X but that’s why you should not use them)
And in the event that you need to install something outside of the repository, go to the official website.

What you seem to be saying is, “Don’t go off-market. Unless you have to. And if you have to, be careful.”

In the case of Pokémon GO, for most people outside the US there is no official website or mainstream repository – but I bet everyone who has found the app thanks to a URL from a friend of a friend considered themselves careful.

The tricky part is telling if you have been careful enough.

If you *really* want the apk, then do what I did
Download 3 copies of the apk from different sources, get checksum and be sure all checksums match and then scan them with something and check the permissions
If everything was successful, then you’re good to go with that apk

Pokémon Go seems to have been engineered specifically to test the limits of smartphone performance. To play the game you need to have GPS, mobile data and the LCD screen running pretty much full blast. On top of that, the processor is constantly updating and rendering a live map and trying to keep track of your items and effects.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?