Trending Now

Pokemon GO might be stealing data of yours


if you haven’t heard of Pokemon go but, you must in all likelihood move slowly out from underneath that rock and capture a rock-type even as you’re at it! yet to be released in India, this AR-enabled recreation has been downloaded via a big quantity of human beings here already from unauthorized web sites hosting the APK. This version is usually the one that turned into launched in Australia and New Zealand first of all.

within 72 hours of the release, a tampered version of the APK has been determined being allotted via third party sources. This version offers hackers full manipulate over your cellphone that consists of the smartphone’s camera, text messaging, phone calls, GPS tracking and more.

In this case, Proofpoint researchers discovered an infected Android version of the newly released mobile game Pokemon GO [1]. This specific APK was modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone. The DroidJack RAT has been described in the past, including by Symantec [2] and Kaspersky [3]. Although we have not observed this malicious APK in the wild, it was uploaded to a malicious file repository service at 09:19:27 UTC on July 7, 2016, less than 72 hours after the game was officially released in New Zealand and Australia.

Likely due to the fact that the game had not been officially released globally at the same time, many gamers wishing to access the game before it was released in their region resorted to downloading the APK from third parties. Additionally, many large media outlets provided instructions on how to download the game from a third party [4,5,6]. Some even went further and described how to install the APK downloaded from a third party [7]:

“To install an APK directly you'll first have to tell your Android device to accept side-loaded apps. This can usually be done by visiting Settings, clicking into the Security area, and then enabling the "unknown sources" checkbox."

Unfortunately, this is an extremely risky practice and can easily lead users to installing malicious apps on their own mobile devices.. Should an individual download an APK from a third party that has been infected with a backdoor, such as the one we discovered, their device would then be compromised.

Individuals worried about whether or not they downloaded a malicious APK have a few options to help them determine if they are now infected. First, they may check the SHA256 hash of the downloaded APK. The legitimate application that has been often linked to by media outlets has a hash of 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67, although it is possible that there are updated versions already released. The malicious APK that we analyzed has a SHA256 hash of 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4.

Another simple method to check if a device is infected would be to check the installed application’s permissions, which can typically be accessed by first going to Settings -> Apps -> Pokemon GO and then scrolling down to the PERMISSIONS section. Figure 1 shows a list of permissions granted to the legitimate application. These permissions are subject to change depending on the device’s configuration; for example the permissions “Google Play billing service” and “receive data from Internet” are not shown in the image but were granted on another device when downloading Pokemon GO from the Google Play Store. In Figures 2 and 3, the outlined permissions have been added by DroidJack. Seeing those permissions granted to the Pokemon GO app could indicate that the device is infected, although these permissions are also subject to change in the future.

Granted permissions from backdoored Pokemon GO APK

pokemon-fig1.pngpokemon-fig2.png




pokemon-fig3.png

source -proofpoint