Rogue Pokemon Go app puts 500,000 Android devices at risk
Prominent research firm Kaspersky Lab has discovered a new malicious app on the Google Play store: “Guide for Pokémon Go”, capable of seizing root access rights on Android smartphones and using that to install/uninstall apps and display unsolicited ads.
The app has been downloaded more than 500,000 times, with at least 6,000 successful infections. Kaspersky Lab has reported the Trojan to Google and the app has been removed from Google Play.
According to the security research firm, the global phenomenon of Pokémon Go has resulted in a growing number of related apps and, inevitably, increased interest from the cybercriminal community.
After analysing the “Guide for Pokémon Go” Trojan, researchers uncovered a malicious code that downloads rooting malware, securing access to the core Android OS for the purposes of app installation and removal as well as the display of advertising.
The Trojan includes some interesting features that help it to bypass detection. For example, it doesn’t start as soon as the victim launches the app. Instead, it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual machine.
If it’s dealing with a device, the Trojan will wait a further two hours before starting its malicious activity. Even then, infection is not guaranteed. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the Trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.
This approach means that the control server can stop the attack from proceeding if it wants to - skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. This provides an additional layer of protection for the malware.
Once rooting rights have been enabled, the Trojan will install its modules into the device’s system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user.
Kaspersky Lab analysis shows that at least one other version of the malicious Pokémon Guide app was available through Google Play in July 2016. Further, researchers have tracked back at least nine other apps infected with the same Trojan and available on Google Play Store at different times since December 2015.
Our data suggests that there have been just over 6,000 successful infections to date, including in Russia, India and Indonesia. However, since the app is oriented towards English-speaking users, people in such geographies, and more, are also likely to have been hit.
People concerned that they may be infected with the Trojan should scan their device with mobile antivirus. If they are infected, there are tools available to help them remove the rooting malware, which can be a complex process.