Pokémon Go or No Go?

Fortinet issued an alert to caution gamers from downloading popular game apps such as Pokémon Go Apps from unfamiliar sources.

“Leading up to the official launch of Pokémon Go in the APAC region, some impatient gamers may have downloaded the virtual augmented game through unsecured third party websites and social media platforms,” said Axelle Apvrille, Senior Mobile Antivirus Researcher at Fortinet. “Like most applications nowadays, Pokémon Go (or the third party apps it uses) exposes your privacy and implies unwanted network traffic. With the rise of Pokémon Go, malware authors are likely to continue repackaging the game with a variety of malware and distribute it in different channels on Android and iOS platforms.”

According to Fortinet, there are two types of Pokémon Go applications which avid mobile gamers need to be wary of.

1. The Official Version: Released by original developer Niantic, the app is generally not malicious.

2. Hacked Versions: Developed by third party developers, commonly known as “mods”, such apps are most likely to be injected with malware. One such version identified by Fortinet’s FortiGuard Labs has been injected with DroidJack RAT (Remote Access Tools), which is known since 2015.  While on the surface, the infected device operates normally, the malware attacks silently in the background every time the phone is switched on (even when in sleep mode).

However, not all hacked versions are necessarily malicious. Fortinet has inspected hacks to play on Android 4.0 (the minimum requirement is normally 4.4), or to modify GPS coordinates, neither of which showed any malicious intent.

Know the Risks before Downloading

Fortinet’s FortiGuard Labs has listed the following major risks for gamers before downloading Pokémon Go.

Risk #1 – Installing an Infected Version

Beware of infected versions such as those infected with Android/SandrC.tr, dubbed DroidJack RAT.

More than 8,800 detections have been made in a year with 160 detected just in last month alone.

Risk #2 – Full Access to Google Account Information

Although Niantic has fixed the error for full access to google account, users are advised to remove the permission from account and upgrade Pokémon Go application to the latest official version.

Risk #3 – Unwanted Network Traffic

Most Android applications are bundled with third-party kits (such as analytics, crash reporting, cross platform engines, etc.) which use up the bandwidth that send and receive more or less useful side information containing, in the best cases, the exact model of your smartphone, or in the worst, personal information such as your phone number and other private data. Pokémon Go is one of these bandwidth hungry applications.

Risk #4 – Spoofed Pokémon Map or Activity

To avoid cyber-attack in the game, Niantic has since introduced certificate pinning in version 0.31.0 and above, which ensure that applications exchanged information with the real Pokémon servers and not with others and communicates via HTTPS.

pokemongo-man-in-the-middle-hack

For versions earlier than 0.31.0, there was a lack of certificate pinning and an attacker can perform a Man-In-The-Middle (MITM) attack and completely modify the game for victims. A malicious hacker can easily modify other customizations, such as displaying an infected link in a pokestop, or directly injecting infected traffic.

While such attacks are probably feasible, they are tricky, and the attack would only operate on the network where the Pokémon Go MITM proxy is set up.

Leave a Reply