Pokémon Go: the Security Cost of Catching ’em All
For the past two weeks, full-grown adults, college students and children have all been roaming around the country in search of Pokémon (gotta catch ’em all, right?). This augmented reality mobile phenomenon has removed people from their home and encouraged them to explore their neighborhoods, but catching them all has come at a cost: beyond the physical issues – people have fallen off cliffs, crashed into trees and even located dead bodies – several privacy and security issues have emerged.
When those millions of users signed up a couple weeks ago, little did they know that if they signed up using their Google account they were giving the app access to their Google login credentials. This huge forfeiture of privacy gave Niantic Labs (formerly owned by Google), the firm behind the app, access to the private information in players’ Google accounts, including their Gmail, photos, videos, etc. Obviously, this wasn’t a good look for Niantic once this surfaced. The company has since said it was not malicious or intentional for the app to request full access to Google accounts — and it resolved the issue right away.
Unsurprisingly, the Pokémon Go phenomenon delivered a number of security issues as well. For example, the app is currently only available through Google Play or the App Store in a limited number of countries. As a workaround, users in other countries are downloading the app through third-party sites. Hackers have gotten wind of this and created malware-infected versions of the app through DroidJack, which makes the malicious version of the application incredibly difficult to identify, especially for your typical end-user.
The infected Pokémon Go apps are loaded with spyware, remote access trojans and bots that can give cybercriminals complete control over mobile devices. This level of access allows criminals to not only steal data, but to also intercept phone calls and messages and spy on victims through the camera lens and microphone.
Unfortunately, Pokémon Go’s security problems aren’t just limited to third-party app stores. Google Play has already discovered and removed three malicious apps disguised as help tools for Pokémon Go players. Titled, Pokémon Go Ultimate, Guide & Cheats for Pokémon Go, and Install Pokémongo, the apps could lock phone screens and trick users into buying unwanted services in order to get rid of the malware.
The Right Protections
Instead of blindly jumping on the Pokémon Go bandwagon, users should make sure they’re well protected. That’s where Zimperium comes in.
Zimperium’s customers are fully protected from malicious Pokémon Go apps through zIPS, the world’s first mobile intrusion prevention system that protects against the broadest array of mobile network, device and application cyberattacks. We’ve tested our technology against the the malicious Pokémon Go app and confirmed that our solution detects the malware and responds appropriately.
If you’re not protected by Zimperium, the best way to protect yourself is by avoiding downloading any app, including Pokémon Go, from a third-party app store. These marketplaces don’t have the same security standards as Google Play or the App Store, which puts Pokémon players at greater risk.
Stay safe and happy hunting!