Author Bio ▼

IFSEC Global is the online community for the Security and Fire industry. Our market-leading live events span the globe, connecting buyers and sellers.
July 22, 2016

Sign up to free email newsletters


The Video Surveillance Report 2021

Beware Malware Disguised as Pokemon Go App, Warns Security Firm

A security firm has discovered malware disguised as the Pokemon Go app that covertly sending SMS to premium numbers.

Cyber security experts at ThreatlabZ spotted an Android SMS Trojan disguised as the Pokémon GO app in their threat feeds.

Zscaler ThreatLabZ said the malware, installs itself with the legit Pokémon GO application icon so that the users are not suspicious, routed unsuspecting gamers to the following URL: http[:]//taigamesvui[.]xyz/sms/pokemongo[.]apk

The malware looks just like the real app, as the screenshot below demonstrates:

pokemon go malware

When the user clicks on the icon the following page is presented to the victim.

pokemon go malware 2

Downloading APK

As soon as the user clicks again, the malware apparently downloads a copycat version of the Pokémon Go game from the following URL: http[:]//waptuoitre[.]net/dulieu/pokemongo[.]apk

The following code shows how the malware is sending SMS to premium numbers.

pokemon go malware HTML code

HTML code

Unlike most malware on Android phones, this Pokemon imposter performs malicious activity from a HTML page in its asset folder, says the company. The ‘Android.send’ function, which is defined in the dex file, is trigged by the HTML page as soon as the user unwittingly sanctions the activity by clicking again.

The function code below shows how SMS are being sent to premium numbers.

pokemon go malware 3

Send SMS code routine

pokemon go malware 4

Threatlabz says the code fortunately only works in Vietnam, but warns that copycat compound threats that deploy other country specific codes may emerge.

The downloaded app crashes regularly, encouraging the user attempt to open it repeatedly and again triggering more malicious activity.


Another rogue app, meanwhile, disguised itself as a guide to installing Pokémon GO from third party store ApkMirror. But ‘Install Pokemon GO’ (the icon for which is highlighted below) actually displayed a banner for several seconds and began auto clicking on the screen.

pokemon go malware 5


The victim for few seconds regarding how to install Pokémon GO. It was simply a snapshot with some red colored highlights showing the steps.

pokemon go malware 6

Installation banner

After few seconds it started displaying ads on main screen as shown in screenshot above.  Along with this, the app started browser and opened several links automatically and started auto clicking simultaneously.

The screenshot below shows several links opened within very short span of time. It also shows the type of ads loaded by the auto clicker app:

pokemon go malware 7

Auto clicked links and displayed ads

The damage that such apps can inflict is definitely less severe as compared to banking Trojans and/or ransomware, but the seriousness of this threat lies in the fact that it may have been downloaded by almost thousands of users from the official Google Play store. Such apps leak victims’ data including device info, sim details, time zones and more importantly, the location.

IFSEC Global recently reported on how Pokemon Go craze has caused alarm in the CIA, Gulf states and among several data security experts. Our sister site TFM has explored the monetisation and marketing possibilities created by this phenomenon, while the SHP considered the health and safety angle.


Security researchers have reported that the original Pokemon Go app asked for considerably more access to a player’s device than it actually needs.

The iOS version of the app required full access to a user’s Google account when the user signed in via Google. Such unwarranted levels of data access from third-party servers creates a serous risk of data theft, according to Zscaler ThreatLabZ.

The game’s developer, Niantic labs, blamed the issue on coding errors and the app now only requires player’s Gmail account and user ID.

Meanwhile, hacker group PoodleCorp claimed responsibility for taking down Pokemon Go servers using DDoS attacks over the weekend. The PoodleCorp group, which overwhelmed servers with traffic from a network of virus-connected computers that were remotely controlled by cyber criminals, are now threatening to take down Pokemon Go servers for more than 24 hours on 1 August.

DDoS attack have soared by 149% in the past year. The following infographic from the New Jersey Institute of Technology offers more information on teh rise of DDoS attacks and the encryption solutions being developed to combat them.



Related Topics

Notify of
Inline Feedbacks
View all comments