The world around me has exploded into a frenzy of augmented reality Pokémon trainers, with millions of individuals attempting to “catch them all” throughout their local environment. The long awaited addition to the Pokémon series has taken budding trainers from their settees out into the streets, tugging heavily on the nostalgic heartstrings of adults who thought their Pokémon catching addiction long dead.
Niantic, developers of Pokémon Go and its portal capturing-come-alien battling precursor, Ingress, are reveling in the currently unparalleled success their augmented reality game is experiencing. Ingress, though relatively popular, never achieved the globalized success of Pokémon Go. It is almost like brand recognition is really useful!
The success isn’t without tribulation, though. Niantic appear to have neglected to learn lessons from the rough early days of Ingress. Their sudden success appears to have come somewhat as a surprise and, despite their adding an estimated $9bn to Nintendo’s market capitalization, big questions remain.
Amid the questions of “how to lure a Charizard into your front room” and “why does my town only have Doduo’s?” are more serious issues, such as widespread reports of Android malware spread through repacked Pokémon Go APKs, as well as reports of individuals being mugged for their extremely expensive smartphones after wandering too far from their regular stomping grounds.
Let’s take a look.
Malicious Pokémon Go APKs
Pokémon evoke some damn strong memories for me. I played Red and Blue obsessively for years, watched the myriad TV series, and had the coolest ever poster of the first 150 Pokémon displayed proudly on my wall. But this is different.
Many individuals with a similar Pokémon background, who had long forgone their more prominent gaming desires found the release of the augmented reality version too strong to resist. However, Niantic region-locked Pokémon Go, meaning those outside the USA, Australia, or New Zealand were meant to be unable to play until their official versions appeared in the device app stores.
Of course, that wasn’t likely to work — and it didn’t. While the applications didn’t appear in the Google Play Store or App Store in the UK, users quickly realized this could be easily worked around. Numerous Pokémon Go APKs (Android Application Packages) were uploaded to a huge range of APK repositories, so many so that Googling “APK” only returns links for Pokémon Go.
Unfortunately, hackers saw this as a golden opportunity to upload APKs containing some seriously malicious code, targeting those users who just couldn’t wait for the official release date for their region.
Once downloaded onto the device of an unsuspecting user, the malicious code immediately executes as the APK is unpacked, and you’ve caught something of an entirely different prospect.
You Caught A RAT!
And not a Ratata. No, this is a Remote Access Tool, by the name of Droidjack, discovered by security researchers at Proofpoint. Also known as SandroRAT, this Android malware has been previously detailed by Symantec and Kaspersky, and gives an attacker remote access to the entire Android device the malicious APK is installed on. Proofpoint have offered two methods of checking whether your Android device has been infected:
- Check the SHA256 hash of the downloaded APK. The legitimate Pokémon Go APK hash should read 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67. The hash of the malicious APK discovered by Proofpoint reads 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4.
- On your Android device, head to Settings > Apps > Pokémon Go, followed by scrolling down to Permissions. The below images detail the permissions required by the legitimate Pokémon Go APK, and the additional permissions granted to the malicious APK.
These are the legitimate Pokémon Go permissions:
And this is the first page of the malicious Pokémon Go permissions:
And the second:
If you have been infected, immediately remove the application, and delete the malicious APK. Head to the Google Play Store and download Avast Mobile Security, and scan your device. Then, head back to the Play Store and download Malwarebytes Anti-Malware, again scanning your device.
Remove any malicious material discovered by either scan.
If you’re diligent with your Android device backups, you may have a whole system image to restore. If this is the case, it is another excellent option to obliterate the malware.
Checking Your SHA256 Hash
There is an easy option available to Windows users, which doesn’t require a download or any installation.
Open an elevated Command Prompt. Use the following command to generate a hash:
certUtil -hashfile insertfilepathhere [hash algorithm]
Your hash algorithm choices are MD2, MD4, MD5, SHA1, SHA256, SHA384, or SHA512. In this case, use the SHA256 option.
Once generated, check the APK hash against the hash supplied by Proofpoint.
Other Issues: iOS Permissions
These are mixed in variety, but all worrying. Perhaps the biggest issue relates to Pokémon Go application permissions, which have been found to be worryingly (but wrongly, please read the next section before panicing!) intrusive on iOS devices. While most apps require some level of permissions to be granted to ensure they function, Pokémon Go seems to have significantly overshot the privacy boundaries by requesting (and gaining!) access to entire Google accounts. This means instead of the usual simple request for a name, email address, and in some cases, locations, Pokémon Go and Niantic could access Google Drives, private Gmail accounts, phone contents, and more, as well as send emails as the affected user.
Niantic issued a statement to Gizmodo, declaring:
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.
Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic.
Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”
This feels like one of those double-edged reassuring-but-how-did-this-happen moments, but at least it will be fixed post-haste. Now read the next little section, and feel happier.
Google Tech Support Says…
Dan Guido, CEO at Trail of Bits, has cast aspersions on this claim. Despite Niantic releasing their press statement declaring their investigation and apparent client-side fix, Guido believes “a giant section of the blog post might be wrong.”
@arirubinstein @SwiftOnSecurity Is it possible there is such a big design flaw in Google's OAuth v1 imp that it's basically "full access"?
— Rosyna Keller (@rosyna) July 12, 2016
A product engineer at Slack tested the OAuth token provided by the service, and found it did not provide any additional data or access to private services connected to a user’s Google account.
Other Issues: Law Enforcement
Law enforcement officers have been called to a number of incidents, all purporting to pertain directly to Pokémon Go. Most incidents report a Pokémon trainer wandering to a secluded location to capture a Pokémon, only to be ambushed by thieves who make off with the smartphone.
Some reports suggest the thieves are actually using the Pokémon Go application itself to locate Pokémon as they appear on the local map, heading to that location, and lying in ambush. Others state individuals that have wandered into areas they would normally steer clear of in the hope of catching particularly rare Pokémon, or just monsters they do not normally encounter.
These extremely unpleasant experiences were rare during my time playing Ingress, though the odd story would crop up every now and then. However, it was usually inter-factional spooking rather than outsiders mugging players, or even outsiders using the application to track and monitor where individuals would be standing with their shiny, shiny smartphones. That said, a guy did wait for me next to my car one night after I destroyed his home portals, but that’s another story.
Advice: Please, be sensible. They’re fictional Pokémon you can live without. You cannot live without your life, and I hear being violently mugged can significantly shorten your life expectancy. Joking aside, don’t wander down roads using the Pokémon Go scanner without taking in your real-world surroundings, and don’t go hunting anywhere you wouldn’t normally consider. Pokémon cannot protect you in the real world.
Nice Law Enforcement
On the flipside, there have been some amusing reports of police officers stopping players wandering around, then joining them in the hunt when they realize what is going on. Remember, augmented reality gaming is still incredibly new to many, our law enforcement officers included. If you’re skulking around a graveyard normally frequented by heroin dealers, expect to get questioned. Just be courteous, and explain what you’re doing.
Droidjack Uses Sideload…It’s Super Effective!
By opening your Android device up to unsigned and unverified APKs, you’re potentially inviting malware to your door. I’m not going to insult those users who happily download and use APKs outside of the Google Play Store by saying “Don’t do it, you’re guaranteed to get malware all the time,” because that isn’t true.
However, I do agree with Proofpoint that “this is an extremely risky practice and can easily lead users to install malicious apps on their own mobile devices… should an individual download an APK from a third party that has been infected with a backdoor, such as the one we discovered, their device would then be compromised.”
But the onus is very much on the user to commit their due diligence before downloading and installing software from an untrusted source. Just as installing software distributed via warez was once considered a sure-fire way to encounter a virus in days gone by, it really came down to your distributor. The same can be said for APK distribution sites.
Similarly, those sites actively encouraging users to download and install APKs from unknown sources should absolutely know better.
Avoid Team Rocket
Team Rockets’ Jesse and James (and Meowth!) are not actually featured in the game, but please, take care to avoid any nasty situations you might find yourself in. Simply put: it isn’t worth the hassle.
You’ll get your turn to be the very best.
Did you turn to an unofficial source for Pokémon Go? Did you encounter any trouble? Regale us with your stories below!