Pokémon Go has taken the world by storm since its early July launch, but from privacy invasions to new malware detections, security concerns are rising.
Initially released in only a few countries – the U.S., Australia and New Zealand - a number of gaming websites provided instructions that allowed eager gamers in other countries to download the game from untrusted third-party sites and sideload it onto their Android (News - Alert) phone.
This provided an unprecedented opportunity for hackers and it was only a matter of hours before the Nokia Threat Intelligence Lab detected copies of the game that had been injected with malware and made available for download from such third-party sites.
One sample of Pokémon Go was found to be infected with a remote access Trojan called “DroidJack,” which allows the attacker to track the mobile phone’s location, record calls, take pictures and steal information and files.
Source: Nokia (News - Alert) Threat Intelligence Lab
To the user, it’s identical to the uninfected game, except the first time it’s run, it asks for permission to:
- Access your contacts
- Manage and make phone calls
- Take pictures and record video
- Access the device’s location
- Access photos, media and files
- Record audio
Fortunately, most mobile anti-virus products will detect this and prevent installation. Also, given the malware asks for an unusually large number of permissions, educated and aware users are likely to be tipped off to exercise caution.
Injecting the malware into the game is quite simple; the whole process taking less than 10 minutes. The hacker merely has to obtain a legitimate copy of the game and open the game package (APK file) using “apktool,” a standard part of an Android developer’s toolkit. This gives access to the game’s manifest, byte code, resources and assets.
The attacker then drops in the malware code, adjusts the manifest to include the malware components and makes a minor hack to the game’s byte code to run the malware when the game starts up. Apktool can then be used to rebuild the app, signed with a bogus digital certificate. Then the app is distributed to as many third-party app stores as possible.
Figure: Part of Pokémon Go manifest showing “DroidJack” injection.
For the consumer, the following rules will keep them safe:
- Don’t download games or apps from untrusted third-party sites
- Install anti-virus software on your mobile phone
- Don’t grant games or apps permissions they obviously don’t need.
About the Author
Kevin McNamee, the Director of Nokia's Threat Intelligence Lab, is a seasoned IT security professional with more than 30 years of experience. Previously at Alcatel-Lucent he designed their cloud-based malware detection system and was director of Security Research with Alcatel-Lucent's Bell Labs (News - Alert), specializing in the analysis of malware propagation and detection. Kevin is the primary author of the Nokia Threat Intelligence Report and has had several recent speaking engagements at BlackHat, RSA (News - Alert), SECTOR and (ISC)2.
Edited by Peter Bernstein