AT FortiGuard, we wouldn’t let you down without an analysis of Pokémon Go. Is it safe to install? Can you go and hunt for Pokémon, or stay by a pokestop longing for pokeballs? While this article won’t assist you in game strategy, I’ll give you my first impressions analyzing the game.
There are two sorts of Pokémon applications:
1. The official versions, issued by Niantic.
We will talk more about these later, but in brief, they are not malicious.
2. The hacked versions. These are also known as “mods”, which are issued by other developers, for multiple reasons. It is in this category we are the most likely to encounter malware. For instance, a repackaged version infected with DroidJack RAT has been identified to be in the wild.
However, not all hacked versions are necessarily malicious: we inspected hacks to play on Android 4.0 (the minimum requirement is normally 4.4), or to modify GPS coordinates, neither of which showed any malicious intent.
Besides manual inspection, we also sent those samples to our learning-based Android prediction engine, SherlockDroid / Alligator, which confirmed our analysis 😉
Risk #1 Installing an infected version
As mentioned earlier, a sample with sha256
is infected with Android/SandrC.tr, dubbed DroidJack RAT.
This is a known malware, for which we have had a signature since 2015. Therefore, Fortinet customers were protected from this malicious Pokémon app from the beginning 🙂
This malware is quite widespread. Internal statistics at Fortinet indicate more than 8,800 detections in a year, and 160 last month alone, but those figures are largely underestimated for various reasons, including the fact that reporting is not enabled by default. So, basically, what you should remember is that this malware is still in the wild and active currently.
More malware to come?
Yes, very certainly. Malware authors are likely to continue to re-package the game with a variety of malware and distribute it. The fact the game wasn’t released in all countries at the same date, for example, (thus forcing impatient users to look for alternatives on the web), combined with the fact there are large game hacking (that’s nice) and cheating (that’s bad 😉 communities only increase the potential for downloading an infected version of the game..
Risk #2 Full Google Account Information? (This is fixed)
Adam Reeve noticed that the game requested full access to your Google account. Note: we are not talking about an Android permission here but a permission of an app connected to a Google account.
This was an error and Niantic fixed this. So be sure to remove the permission from your account and upgrade your Pokémon Go application.
Finally, note that it is not extremely clear in the documentation exactly how much “full access” really means, but no malware or exploit of this has been reported so far.
Risk #3 Unwanted network traffic
In a perfect world, we’d expect games to only send packets over the network that are absolutely necessary for the game to run, such as your location, the details of Pokémon around you, etc.
However, this is very far from reality, and for years now most Android applications are bundled with third party kits (analytics, crash reporting, cross platform engines, etc.) which use up the bandwidth which send and receive more or less useful side information containing, in the best cases, the exact model of your smartphone, or in the worst, personal information such as your phone number and other private data.
Pokémon Go is one of these bandwidth hungry applications. I downloaded it two weeks ago, and it is already close to being the most greedy application on my phone.
