Channel, Networking

Pokémon GO: Did Your Customers Install Pirated Copies With Malware?

The online game of the moment is Pokémon GO, a mobile phone app that became so popular so quickly that its availability was limited outside the USA in order to stop the game servers being overloaded.

But what about everyone outside the US who wants to join in the fun?

On iOS, there’s not a lot you can do to install apps from alternative markets, because Apple only officially supports the App Store for downloads.

On Android, however, there’s an option called “Allow apps from untrusted sources” that opens up your phone to software from anywhere, not just Google Play.

So, millions of people all over the world are deliberately lowering their Android security settings to pirate Pokémon GO from unofficial download sites.

Pirated Apps and Malware Risks

Is it safe to do this?

After all, millions of people have already pirated the app, apparently without anything bad happening, so surely the many millions who follow the crowd will be OK, too?

Cybercrooks love this sort of “herd risk taking,” because they can take advantage of it.

Indeed, we’ve already seen a modified version of Pokémon GO that looks and plays identically to the original, but includes Android spyware known as DroidJack that can watch you via your camera, track you via GPS, intercept your text messages, listen in to your calls, and more.

And the burning question is, “If you downloaded a hacked version of Pokémon GO by mistake, would you be able to spot the imposter?”

Google Play has seen enough malware sneak through recently to remind us that even the guys who make the rules can’t always tell the difference.

Understanding the Risks

Check out our Naked Security article to understand the risks of “remixed” unofficial downloads, and why it isn’t always easy to tell good apps from bad ones, at least without expert help.

Our tips:

  • Avoid apps with a poor or non-existent reputation. Don’t trust an app about which no one yet seems to know anything.
  • Stick to Google Play if you can. Despite various recent failures, it’s still safer than unregulated Android markets where anything goes.
  • Use an Android anti-virus. The Sophos Mobile Security product is free, and protects you automatically from malicious and low-reputation apps.
  • Manage your business phones centrally. Sophos Mobile Control, for example, allows you to take control of options such as whether to allow untrusted app sources on phones used for work.

Oh – one more thing.

Pokémon GO requires you to walk around in real life while watching your mobile phone screen.

As the app itself reminds you, every time it starts up, “Remember to be alert at all times.”


Paul Ducklin is a senior security advisor at Sophos. Article originally appeared on the Sophos blog. Read more Sophos blogs here