IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
A security firm has discovered malware disguised as the Pokemon Go app that covertly sending SMS to premium numbers.
Cyber security experts at ThreatlabZ spotted an Android SMS Trojan disguised as the Pokémon GO app in their threat feeds.
Zscaler ThreatLabZ said the malware, installs itself with the legit Pokémon GO application icon so that the users are not suspicious, routed unsuspecting gamers to the following URL: http[:]//taigamesvui[.]xyz/sms/pokemongo[.]apk
The malware looks just like the real app, as the screenshot below demonstrates:
When the user clicks on the icon the following page is presented to the victim.
Downloading APK
As soon as the user clicks again, the malware apparently downloads a copycat version of the Pokémon Go game from the following URL: http[:]//waptuoitre[.]net/dulieu/pokemongo[.]apk
The following code shows how the malware is sending SMS to premium numbers.
HTML code
Unlike most malware on Android phones, this Pokemon imposter performs malicious activity from a HTML page in its asset folder, says the company. The ‘Android.send’ function, which is defined in the dex file, is trigged by the HTML page as soon as the user unwittingly sanctions the activity by clicking again.
The function code below shows how SMS are being sent to premium numbers.
Send SMS code routine
Threatlabz says the code fortunately only works in Vietnam, but warns that copycat compound threats that deploy other country specific codes may emerge.
The downloaded app crashes regularly, encouraging the user attempt to open it repeatedly and again triggering more malicious activity.
Clickfrauds
Another rogue app, meanwhile, disguised itself as a guide to installing Pokémon GO from third party store ApkMirror. But ‘Install Pokemon GO’ (the icon for which is highlighted below) actually displayed a banner for several seconds and began auto clicking on the screen.
Icon
The victim for few seconds regarding how to install Pokémon GO. It was simply a snapshot with some red colored highlights showing the steps.
Installation banner
After few seconds it started displaying ads on main screen as shown in screenshot above. Along with this, the app started browser and opened several links automatically and started auto clicking simultaneously.
The screenshot below shows several links opened within very short span of time. It also shows the type of ads loaded by the auto clicker app:
Auto clicked links and displayed ads
The damage that such apps can inflict is definitely less severe as compared to banking Trojans and/or ransomware, but the seriousness of this threat lies in the fact that it may have been downloaded by almost thousands of users from the official Google Play store. Such apps leak victims’ data including device info, sim details, time zones and more importantly, the location.
The iOS version of the app required full access to a user’s Google account when the user signed in via Google. Such unwarranted levels of data access from third-party servers creates a serous risk of data theft, according to Zscaler ThreatLabZ.
The game’s developer, Niantic labs, blamed the issue on coding errors and the app now only requires player’s Gmail account and user ID.
Meanwhile, hacker group PoodleCorp claimed responsibility for taking down Pokemon Go servers using DDoS attacks over the weekend. The PoodleCorp group, which overwhelmed servers with traffic from a network of virus-connected computers that were remotely controlled by cyber criminals, are now threatening to take down Pokemon Go servers for more than 24 hours on 1 August.
DDoS attack have soared by 149% in the past year. The following infographic from the New Jersey Institute of Technology offers more information on teh rise of DDoS attacks and the encryption solutions being developed to combat them.
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
Beware Malware Disguised as Pokemon Go App, Warns Security FirmThreatlabZ has spotted an Android SMS Trojan disguised as the Pokémon GO app in its threat feeds.
IFSEC Insider
IFSEC Insider | Security and Fire News and Resources
Related Topics
Why we need to pay attention to attacks on the smart built environment
Quick Heal research shows 800 percent increase in Android malware
More than 100 flavors of malware stealing bitcoins