As a result, many gamers out of curiosity have already started to search the app outside official app stores. Crooks are using this opportunity to exploit the popularity of the game by spreading a malicious version of the Pokemon GO app that could infect Android mobile devices and install a backdoor to gain complete control over the victim’s smartphone. The official Pokemon GO app was first launched in Australia and New Zealand on July 4th, and later on July 6th in the U.S., but the malicious app was first uploaded to an online malware detection repository on July 7. According to a report from security biz Proofpoint, repackaged versions of the game have been found carrying malware dubbed as DroidJack that grants remote-control access of infected devices to crooks. Also, many media outlets have published instructions on how to download the game from a third party. “The augmented reality game was first released in Australia and New Zealand on July 4th and users in other regions quickly clamoured for versions for their devices. It was released on July 6th in the US, but the rest of the world will remain tempted to find a copy outside legitimate channels. To that end, a number of publications have provided tutorials for “side-loading” the application on Android. However, as with any apps installed outside of official app stores, users may get more than they bargained for.” reported ProofPoint in a blog post. In order to install the malicious Pokemon GO app the gamer needs to “side-load” it by disabling an Android security setting. “Unfortunately, this is an extremely risky practice and can easily lead users to installing malicious apps on their own mobile devices,” points out Proofpoint. “Should an individual download an APK from a third party that has been infected with a backdoor, such as the one we discovered, their device would then be compromised.” For example, the malicious Pokemon GO app requests more permissions of the legitimate one, Proofpoint says. “Even though this APK has not been observed in the wild, it represents an important proof of concept: namely, that cybercriminals can take advantage of the popularity of applications like Pokemon GO to trick users into installing malware on their devices,” Proofpoint said. If you want to check whether you have installed the clean APK, or the modified Pokemon Go version with the DroidJack malware, it is quite easy to do so. Firstly, you need to check the SHA256 hash of the downloaded APK. The legitimate application that has been often linked to by media outlets has a hash of 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67, although it is possible that there are updated versions already released. The malicious APK has a SHA256 hash of 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4. Another simple method to check if a device is infected would be to check the installed application’s permissions, which can basically be accessed by first going to Settings -> Apps -> Pokemon GO > Permissions.
- Permissions asked by the clean Pokemon Go app 
- Permissions asked by the infected Pokemon Go app 
- Permissions asked by the infected Pokemon Go app 
The infected Pokemon GO APK has been modified in such a way that, when launched, the victim would likely not notice that they have installed a malicious application. The figure below shows the startup screen from the infected Pokemon GO game, which is identical to the legitimate one.
Gamers are advised to be careful when downloading software from third-party app stores. “Bottom line, just because you can get the latest software on your device does not mean that you should,” the security researchers write. “Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.” Source: Proofpoint



