Pokémon GO is a new mobile game that allows fans to “catch” Pokemons in the real world using augmented reality and their smartphones capabilities such as location technology and built-in cameras. The game was released on July 6 on both the Apple App Store and Google Play but only in Australia, New Zealand, and one day later in the United States. The app developer said that the game will be available in other countries soon but a lot of Pokemon fans do not want to wait for the official release in other regions; they are eager to get the game as soon as possible, so many of them may look for the APK on third-party sites—thus risking the security of their devices and information.
Taking into account the huge amount of Pokemon fans looking for the game on third-party sites, it was just a matter of time before a malicious version of the app appeared. One day after the release, Intel Security Mobile Research found a Trojanized Pokémon GO app being distributed in the wild. The filename of the malicious APK is very similar to the filename of the legitimate APK available on the third-party site apkmirror.com. However, the malicious app was not found in apkmirror; it is probably being distributed on another site.
When the malicious app is installed on the latest version of Android, there appears to be no difference from the legitimate app. Android says it does not require any special access:
However, when it is executed, the Trojanized app will request more permissions than the legitimate app, including suspicious ones suchas the ability to send and view SMS messages:
This request happens only on Android 6.0 and later; in older versions the user grants the permissions when the app is installed. Once the user has granted all permissions (at installation or during runtime), the game starts and works normally, but a controller starts in the background when there is a connectivity change or the device is started:
This service belongs to the Android remote administration tool DroidJack (aka SandroRAT), which was injected in the legitimate app. DroidJack, currently sold on its own site at a cost of US$210 for a lifetime package, is not new. It has been seen in the wild since 2014. Although the terms and conditions on the official site explicitly says “The product shall not be used to commit any kind of crime or anything against the law,” it was found in August 2014 targeting banking users in Poland. Probably due the use of the software to commit activities against the law, in October 2015 police across Europe and the United States carried out a number of house searches and arrests of suspected users of DroidJack. However, as we can see with this Trojanized game, the tool is still active and being distributed in the wild.
DroidJack can do almost anything on an infected device: from stealing SMS messages, call logs, contact lists, browser history, geolocation, and installed apps to executing commands remotely to take pictures, record video, record calls, or send an SMS message. In the last case, the Trojanized app communicates in the background with an IP address in Turkey and constantly reports if an app is in the foreground:
Or if the screen is off (in order to, for example, open a link using the default browser):
Spoofing or injecting malware into popular apps are the most effective ways to trick users into installing malware. Although Google Play is not malware free, the chances of getting infected from there are much lower than installing apps from third-party sites, especially file-sharing sites. For that reason, even if reputable websites tell you to enable the installation from unknown sources to install an APK downloaded from a third-party site, it is better to wait a couple of days until the official app is available in your region.
McAfee Mobile Security detects this Android threat as Android/SandroRAT and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.