Hackers Created a Malicious Version of Pokémon GO That’s Infecting Android Phones

July 11, 2016 | Kelly Tatera

Pokemon GO app
Photo credit: Eduardo Woo/flickr (CC BY-SA 2.0)

Here’s how to check that your app is legitimate. 

The new Pokémon GO game was only released a few days ago (July 6), but it’s already spreading like wildfire. Sadly, not everyone around the world can be included in the race to catch the most Pokémon since the game hasn’t yet been rolled out internationally — Nintendo and The Pokémon Company first have to increase the server capacity.

However, people are finding other ways to download the Pokémon GO game in the meantime, and tech security experts are warning that it might be best to hold off in light of the discovery of a malicious version of the game being sent around by hackers.

Less than 72 hours after Nintendo released the game in Australia and New Zealand, the faux-Pokémon GO app was discovered by a security firm called Proofpoint. The firm discovered a version of the game infected with DroidJack — a malicious remote access tool (RAT). Basically, DroidJack installs a backdoor that grants hackers complete control of the user’s Android phone.

“A number of publications have provided tutorials for "side-loading" the application on Android. However, as with any apps installed outside of official app stores, users may get more than they bargained for,” Proofpoint wrote in a blog post.

DON'T MISS: WhatsApp Just Provided End-to-End Encryption to Its One Billion Users

In fact, some media outlets have actually published instructions on how to accept side-loaded apps on Android devices — it’s done by visiting the security settings of the device and then enabling the “unknown sources” checkbox. This allows users to install apps from websites other than Google Play, but it also gives hackers have a much better chance of infiltrating the device.

Luckily, Proofpoint has laid out a few ways that users can check whether their app is the legitimate one or the compromised malware. A simple way is to check the application’s permissions, by going into Settings > Apps > Pokemon GO and then scrolling down to the permissions section.

The major red flag is that in the hacked Pokémon GO permissions, there are features that say “this may cost you money” and others that state the user is agreeing to let the app record audio, change network connectivity, and edit, read, or send text messages.

To see the full comparisons of the real Pokémon GO permissions and the malicious version, you can check Proofpoint’s blog post here.

Another way to pin down whether the app is hacked is to compare the SHA1-hashes — a function created by the United States National Security Agency. Basically, the SHA1-hashes are a long group of characters that can verify whether a file was modified.

According to Proofpoint, the legitimate Pokémon GO SHA-1 hash is:


(Note: they say it’s possible that there may be updated versions already released)

And the malicious Pokémon GO SHA-1 hash is:


Unfortunately for users that are still waiting for the game to be released in their region, it’s probably best to wait it out instead of raising the risk of downloading the malicious Pokémon GO game.

“Bottom line, just because you can get the latest software on your device does not mean that you should,” Proofpoint concludes. “Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.”

You might also like: Hackers Can Steal ATM PINs Through Smartwatches or Fitness Trackers, New Study Warns

Hot Topics

Facebook comments