Popular augmented reality game, Pokemon Go, has got international users “sideloading” it, or installing it outside of the official app store. Unfortunately for them, they may have downloaded an infected version of the app which contains a backdoor called DroidJack which allows hackers to gain access if the victim’s phone, according to Proofpoint. IT security experts commented below.
Tim Erlin, Director, Security and IT Risk Strategist at Tripwire:
“When it comes to malware, you really don’t want to catch ’em all. Cybercriminals are after any angle that helps them gain a foothold on your devices. A popular app that’s not available in some places is a near-perfect target for crafting a malware delivery strategy.
People have proven time and time again that they’ll click recklessly to get access to new, prohibited or early-release software. Attackers have proven time and time again that they’ll find a way to infect that software.
Installing software from third-party markets and unknown sources increases your risk of malware. Period.”
Kevin Epstein, VP, Threat Operations Centre at Proofpoint:
“DroidJack gives attackers complete access to mobile devices including user text messaging, GPS data, phone calls, camera—and any business network resources they access. This makes both the practice of side-loading applications (downloading apps from unofficial app stores) and the presence of apps like the malicious version of Pokemon GO especially concerning. Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never recommended. Even though this malicious app has not been observed in the wild, it represents an important proof of concept: namely, that cybercriminals can take advantage of the popularity of applications like Pokemon GO to trick users into installing malware on their devices.
Consumers should be extremely wary of downloading apps from app stores other than the Apple App Store and Google Play. Many other app stores do not have security controls to prevent malicious attackers from posting versions of apps that have been tampered with.”
Tyler Reguly, Manager of Software Development at Tripwire:
“I think, in many ways, this comes down to a problem with software vendors and their approach to distribution. It’s an issue that’s mimicked in media distribution and comes down to two main issues, globalization and the “me first” attitude of Millennials and Generation Z. Media, regardless of the format, is distributed on a per-country or per-region basis rather than globally, yet online discussions happen at a global level and seeing the positive reviews of others forces that “me first” attitude to kick in, “I must try it at any cost.” The result is people download movies, music, books, and games from a variety of sketchy sources. The websites hosting this content are often plagued with drive-by attacks and malware, incorporating this into the actual download is a logical expansion.
Had Pokemon Go been released globally (since people everywhere are playing it), no one would have felt the need to visit third party sites to acquire the APK. As we move forward, companies should realize that global releases are beneficial to them and the end user. Whether it’s same day digital video rentals and theatrical releases, global album launches, or mobile applications available worldwide, it’s an option to curb piracy and, with so many malicious actors in play, secure the end user. In a perfect world, vendors could use their tiered release process and all would be well but a malware-laced mobile app does a better job of providing instant gratification. It could be interesting to run a survey to see if people would rather wait for an official release of Pokemon Go or knowingly install malware, I suspect a large number of people would accept the malware.”
Lee Munson, Security Researcher at Comparitech.com:
If you’re a Pokemon fan and you gotcha catch ‘em all, make sure your haul doesn’t include malware.
“The new Pokemon app, which is Go in the US, Australia and New Zealand, but no-go anywhere else, has caused quite a storm in the last couple of days.
“Hype abounds and all the cool people want to get playing. The only problem with that, is some are going to dangerous lengths to get hold of the game before it is officially launched in their territory.
“Flying in the face of age-old and sound security advice, they are foregoing official app stores to download the app from third parties, many of which are not being as helpful as it seems.
“For packed into the rogue Pokemon Go apps is malware that can give an attacker full control over an Android device (iPhone users, by and large, cannot install the files).
“So how are keen gamers supposed to get the real deal if Pokemon Go hasn’t yet been released in their country?
“In this case, I would say they shouldn’t – the reason Nintendo has slowed the roll out is due to playability issues so the best and safest answer is to sit tight and wait for the app to be released officially or use a VPN to download the official version.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.