Go to top of page

Fake Pokémon Go app contains malware and can steal your information

Priority Level: 
Moderate
13 July 2016

A malicious version of the popular Pokémon Go game is believed to be targeting Android users. The malware's (malicious software's) existence reinforces that smartphone owners should only install apps from legitimate app stores (such as Google Play or Apple's App Store) to reduce the risk to their devices and data.

Pokémon Go was released officially in Australia on 6 July 2016. However, some people may be tempted to install unofficial versions of the app, using a method known as 'side-loading'. The method involves downloading a copy of the game from a location on the internet that is not an official app store, and installing it onto a smartphone.

You are advised to be extremely cautious in side-loading apps, and Stay Smart Online recommends that you do not install apps from unofficial sources. It can be hard to verify that unofficial apps do not contain malware or have otherwise been altered.

The malicious version of Pokémon Go for Android smartphones was recently discovered on a known malware website. The malicious version contained a Trojan, a piece of software that installs itself onto a smartphone or another device and allows an attacker to steal sensitive information. To date, this malicious version has not been seen on official app stores.

Separately, Niantic Labs, the company behind Pokémon Go, has issued a statement acknowledging that the Pokémon Go account creation process on iOS was erroneously requesting full permission for users' Google accounts. Full account access would have enabled the app to view and modify nearly all information in a users' Google account, including email, Google Drive documents, search history and other personal information. 'Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected,' the statement said. 'Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.'

Staying safe

You should install antivirus software onto your smartphone or tablets. Modern smartphones are essentially small mobile computers and need similar protection to your laptop or desktop computer.

If you have installed an unofficial version of Pokémon Go, or are not sure if you have, seek immediate technical advice. If you installed the app from the official Android or Apple app stores, then you do not need to worry about this threat. The security researchers who have discovered the malicious version of Pokémon Go have outlined how to identify an infected computer and actions to take.

Google and Apple scan apps that appear on their respective stores for Android and Apple devices. However, it is possible to circumvent these scans by using dynamic behaviour, such as turning the malicious activity off until a later date. Despite this threat, installing apps from the official app store significantly reduces the risk of a malware attack on your smartphone.

Both Google and Apple update their countermeasures, but it is always possible that new malicious apps will be discovered. For this reason, it is important that users are constantly vigilant about the apps they install onto their phone.

For users who enjoy testing brand new apps, a safe method to use is to buy a new smartphone or tablet for the purposes of app testing only. Do not put any private data on this new phone, do not sign into your normal Google or online accounts, and be careful when connecting it to WiFi networks. If you are unsure about how to safely test apps, either seek technical advice or stay with more popular and tested apps from the Google Play store.

Stay Smart Online recommends you always be careful when downloading apps to check how much access to your information that each app requests. If the app requests more information than you are comfortable with, or is unclear about how much information it accesses, you should cancel the download and installation or remove the app from your device.

More information

Stay Smart Online has information on staying secure when using mobile devices.

Technical information on the malware installed as part of the malicious version of Pokémon Go can be found on Symantec's website.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.