In the wildly popular mobile game Pokémon Go, the ultimate goal is to capture as many Pokémon as possible. For the creators of a malware-laden app some devious designers snuck into the Google Play store, the objective was similar—except for smartphone users—and they were quite successful.
Before it was pulled from the online marketplace earlier this week, Guide for Pokémon Go, a malicious app, was downloaded over half a million times.
The app’s true nature was discovered by researchers at the cybersecurity firm Kaspersky Lab, who notified Google. However, by the time the app was removed, at least 6,000 devices has been infected—primarily belonging to users in Russia, India, and Indonesia.
“In the online world, wherever the consumers go, the cybercriminals will be quick to follow…Pokémon Go is no exception” Kaspersky Senior Malware Analyst Roman Unuchek said in a statement. He continued:
Victims of this Trojan may, at least at first, not even notice the increase in annoying and disruptive advertising, but the long term implications of infection could be far more sinister. If you’ve been hit, then someone else is inside your phone and has control over the OS and everything you do and store on it. Even though the app has now been removed from the store, there’s up to half a million people out there vulnerable to infection – and we hope this announcement will alert them to the need to take action.
In a blog post, Kaspersky researchers laid out how the app’s designers ingeniously designed the trojan to avoid detection:
The “Guide for Pokémon Go” root Trojan includes some interesting features that help it to bypass detection. It doesn’t start as soon as the victim launches the app. Instead, it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual machine.
If it’s dealing with a device, the Trojan will then wait another two hours before starting its malicious activity. Even then, infection is not guaranteed. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the Trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.
This approach means that the control server can stop the attack from proceeding if it wants to – skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. This provides an additional layer of protection for the malware.
Once rooting rights have been enabled, the Trojan will install its modules into the device’s system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user.
Immediately following its release, Pokémon Go instantly became one of the most successful mobile games in history. At one point, it was attracting more daily users than Twitter and greater user engagement than Facebook. However, as the luster of the game’s pioneering use of augmented reality technology has faded, its audience has dropped by 79 percent. Even so, it’s still generating seven times as much revenue as its closest mobile gaming competitor, Candy Crush Saga.
This incident isn’t the first time hackers have targeted Pokémon hunters. In the first weeks after the app launched, it was only available in the United States, Australia, and New Zealand. If gamers in the rest of the world wanted to play, they had to “side-load”the application by downloading it through channels outside of the major, mainstream app stores. That opened up users to inadvertently downloading malware that allowed hackers to gain complete control over their devices when they believed they were only installing the game.