Some may still know the adorable little pocket critters that were all the rage in the late 90s. Now they’re back as an Augmented Reality game for smartphones. Attackers try to use the popularity of this brand new game for themselves and prey on impatient gamers who cannot wait for the game to be released: at least one malicious version of the app has been discovered.
People who freeze on the spot and intently stare at their smartphone displays, either in shopping malls or at the side of the road – and then walk on again. You may hear some mutterings on the lines of “Just another Pidgey”. The reason for this strange behavior is a game called Pokémon Go. Originally published by Nintendo for their Game Boy platform, the game makes a big comeback on smartphones, as an Augmented Reality game, where the real world and the realm of the game meet. You catch cute little animated animals, but you need to go out of the house for that and physically go to the place where the animals are waiting, whether it’s in public parks, at the side of the road or at the mall. The developers give avid collectors of these little Japanese animals a new chance to live out their passion.
The craze around the game was also a call to action for some criminals: in a file sharing network, a version of the app installer was found that contained a remote control for Android devices. It appears that the legitimate app was repackaged with some added malware using a tool called “DroidJack”. The tool itself has legitimate use cases for developers, but in this case it was used to add a malicious piece of software called “AndroRAT”.
The malware first appeared in 2012/2013 and was already reported about in G DATA's Mobile Malware Report H1/2013. Devices infected with this RAT (Remote Access Tool) give up a lot of personal information to an attacker, including but not limited to contacts lists, logs and GPS coordinates. Attackers can even turn on the microphone and camera remotely. Data which was mined from an infected device can be sold for profit – blackmailing based on audio or video recordings is also a possibility. The permissions requested by any app are displayed when downloading it from Play Store. At this point, cautious users can already tell suspicious apps. Current versions of the Android operating system will also ask the user to confirm each permission when first running the app.
It is also worth noting that the version of the app that is available to our researchers is signed using an expired certificate. The certificate holder also runs a blog, which seems to have been inactive since 2014. We cannot ascertain whether the manipulated app was distributed by the individual or if certificate was stolen and abused. In any case it is unwise to sign an app with an expired certificate.
G DATA customers are protected from the malicious app which is detected as “Android.Trojan.Kasandra.B”
In general, these events demonstrate that criminals are highly adaptable and can react to current trends very quickly, such as an eagerly awaited game.
To spread this malware, its makers rely on the air of exclusiveness that comes with running a game which officially is not on the market yet – the phenomenon is similar to what record collectors experience when they acquire a specific hand-numbered limited edition of an album.
A player installs the manipulated app and might give up information in the process that was never intended to be seen by anybody else. Other actors are likely to jump on the band wagon to profit from the enthusiasm with which the game was anticipated.
Since its launch, Pokémon Go has been downloaded over 5.000.000 times worldwide. According to statistics portal SimilarWeb, within two days the app was installed on 5.16% of all Android devices in the US. To add a bit of perspective: the popular dating app ‘Tinder’ is only installed on a little over 2% of all devices.
Pokémon Go is also set to break other records as well: SimilarWeb observations say that around 60% of all US installations of the game are being used actively on a daily basis. When compared to Twitter’s app, they predict that Pokémon Go might very soon have more active daily users than the popular 140-characters-per-message service.
All this advocates the use of caution during the time immediately before a highly anticipated game or other app.
Here are seven tips that will keep you safe which on the hunt for Pidgey and other Pokémon: