IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
July 22, 2016

Sign up to free email newsletters

Download

Whitepaper: Multi-residential access management – The move to digital

Beware Malware Disguised as Pokemon Go App, Warns Security Firm

A security firm has discovered malware disguised as the Pokemon Go app that covertly sending SMS to premium numbers.

Cyber security experts at ThreatlabZ spotted an Android SMS Trojan disguised as the Pokémon GO app in their threat feeds.

Zscaler ThreatLabZ said the malware, installs itself with the legit Pokémon GO application icon so that the users are not suspicious, routed unsuspecting gamers to the following URL: http[:]//taigamesvui[.]xyz/sms/pokemongo[.]apk

The malware looks just like the real app, as the screenshot below demonstrates:

pokemon go malware

When the user clicks on the icon the following page is presented to the victim.

pokemon go malware 2

Downloading APK

As soon as the user clicks again, the malware apparently downloads a copycat version of the Pokémon Go game from the following URL: http[:]//waptuoitre[.]net/dulieu/pokemongo[.]apk

The following code shows how the malware is sending SMS to premium numbers.

pokemon go malware HTML code

HTML code

Unlike most malware on Android phones, this Pokemon imposter performs malicious activity from a HTML page in its asset folder, says the company. The ‘Android.send’ function, which is defined in the dex file, is trigged by the HTML page as soon as the user unwittingly sanctions the activity by clicking again.

The function code below shows how SMS are being sent to premium numbers.

pokemon go malware 3

Send SMS code routine

pokemon go malware 4

Threatlabz says the code fortunately only works in Vietnam, but warns that copycat compound threats that deploy other country specific codes may emerge.

The downloaded app crashes regularly, encouraging the user attempt to open it repeatedly and again triggering more malicious activity.

Clickfrauds

Another rogue app, meanwhile, disguised itself as a guide to installing Pokémon GO from third party store ApkMirror. But ‘Install Pokemon GO’ (the icon for which is highlighted below) actually displayed a banner for several seconds and began auto clicking on the screen.

pokemon go malware 5

Icon

The victim for few seconds regarding how to install Pokémon GO. It was simply a snapshot with some red colored highlights showing the steps.

pokemon go malware 6

Installation banner

After few seconds it started displaying ads on main screen as shown in screenshot above.  Along with this, the app started browser and opened several links automatically and started auto clicking simultaneously.

The screenshot below shows several links opened within very short span of time. It also shows the type of ads loaded by the auto clicker app:

pokemon go malware 7

Auto clicked links and displayed ads

The damage that such apps can inflict is definitely less severe as compared to banking Trojans and/or ransomware, but the seriousness of this threat lies in the fact that it may have been downloaded by almost thousands of users from the official Google Play store. Such apps leak victims’ data including device info, sim details, time zones and more importantly, the location.

IFSEC Global recently reported on how Pokemon Go craze has caused alarm in the CIA, Gulf states and among several data security experts. Our sister site TFM has explored the monetisation and marketing possibilities created by this phenomenon, while the SHP considered the health and safety angle.

Privacy

Security researchers have reported that the original Pokemon Go app asked for considerably more access to a player’s device than it actually needs.

The iOS version of the app required full access to a user’s Google account when the user signed in via Google. Such unwarranted levels of data access from third-party servers creates a serous risk of data theft, according to Zscaler ThreatLabZ.

The game’s developer, Niantic labs, blamed the issue on coding errors and the app now only requires player’s Gmail account and user ID.

Meanwhile, hacker group PoodleCorp claimed responsibility for taking down Pokemon Go servers using DDoS attacks over the weekend. The PoodleCorp group, which overwhelmed servers with traffic from a network of virus-connected computers that were remotely controlled by cyber criminals, are now threatening to take down Pokemon Go servers for more than 24 hours on 1 August.

DDoS attack have soared by 149% in the past year. The following infographic from the New Jersey Institute of Technology offers more information on teh rise of DDoS attacks and the encryption solutions being developed to combat them.

20th-Century-and-Beyond-Encryption-Technology-Edits1

 

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

IFSECInsiderPodcastLogo

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments