Whilst Pokémon fans all over the world have spent the last few days hooked on trying to ‘catch ‘em all’ with new GPS-based augmented reality OS and Android mobile game Pokémon Go, several security issues have reared their heads as the popularity of the app continues to skyrocket.
Firstly, Proofpoint discovered that Android users who opted to use roundabout ways of getting hold of the game (only released in the US, Australia and New Zealand so far) – often ‘sideloading’ it, or installing it outside of the official app store – may have downloaded an infected version of the app which contains a backdoor called DroidJack. According to the cybersecurity firm the malicious software allows hackers to spy on victim’s phones and gain access to them.
“DroidJack gives attackers complete access to mobile devices including user text messaging, GPS data, phone calls, camera – and any business network resources they access,” said Kevin Epstein, VP, Threat Operations Center at Proofpoint. “This makes both the practice of side-loading applications (downloading apps from unofficial app stores) and the presence of apps like the malicious version of Pokemon GO especially concerning.”
Consumers should be extremely wary of downloading apps from app stores other than the Apple App Store and Google Play, added Epstein, as many other app stores do not have security controls to prevent malicious attackers from posting versions of apps that have been tampered with.
“Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never recommended. Even though this malicious app has not been observed in the wild, it represents an important proof of concept: namely, that cyber-criminals can take advantage of the popularity of applications like Pokemon GO to trick users into installing malware on their devices.”
What’s more, there seem to be privacy issues with the game with developers Niantic confirming in a statement that the Pokémon Go app requests more permissions than it needs, although it has not accessed any user information.
Ed Macnair, CEO at cloud security company CensorNet said:
“Overnight there’s been some controversy over Pokémon Go and the access it’s given to Google accounts when users sign up. While the creators of the game, Niantic, have since said it was unintentional and will be corrected, it raises an important issue about app permissions and how much attention we pay to them. Aside from the personal privacy issues, who’s to say an employee won’t use their work Gmail account to sign-up to Pokémon Go?
However, Macnair was quick to point out that this is not just a Pokémon Go issue, but one that is becoming all too common across the cyber industry.
“Employees are often quick to download the latest app to access or share data and it’s unlikely they’ll be scrutinizing what they are granting the app access to. In the event of a hack targeting the creators, criminals will potentially be given access to a treasure trove of data – followed by the inevitable brute force attempts thanks to the cache of usernames and passwords they’ll be in possession of.
“Businesses need to stay vigilant to the applications and websites their employees are using and have the tools in place to give them absolute certainty someone is who they say they are, as well as the ability block access if there’s any risk. The implications of failing to do so could be devastating.”
By Michael Hill