In case you have not heard of the new craze going on with an augmented-reality smartphone app called Pokémon Go. It’s a geocaching game, meaning it’s tied to real-world locations.
It’s a smash hit sending people on the street, trying to catch virtual creatures in real-world locations — called Pokestops — that players can capture, train and trade.
However, the game’s rapid rollout and breakaway success has its risks. Pokémon Go has immediately hit several security and privacy-related speed bumps.
- The Google Login Permissions Problem
Many security researchers have been warning that the initial release of the Pokémon Go app has access to many more device permissions than needed meaning a possible privacy risk.
- Trojanized Apps
Just 72 hours after the release of Pokémon, bad guys had Trojanized a legitimate version of the free Android app to include malware and released it via unofficial, third-party app stores, researchers at security firm Proofpoint said.
The malicious Android application file “was modified to include the malicious remote access tool called DroidJack – also known as SandroRAT, which would virtually give an attacker full control over a victim’s phone,” the researchers warn in a blog post. Gaming websites have begun publishing instructions about how users can download the app, including using side-loading – evading Google’s official app store – to install them.
Proofpoint said: “In the case of the compromised Pokémon Go APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk.”
- Send this to your employees, friends and family:
You have probably heard about the new Pokémon app. It’s going viral and sends people on the street to catch these little virtual creatures. There are some risks if you have the “gotta catch ’em all” fever.
First, please stick to the vetted app stores, do not download the app from anywhere else. Why? Bad guys have taken the app and infected it with malware, and try to trick you downloading it from untrustworthy websites.
Second, anyone using the app, and especially kids should be VERY aware that they are not lured into a real-world trap which could lead to mugging or abduction. Other players can track you in the real world using this app so be careful.
Third, there are possible privacy issues if you use your Google account to log into the app. Create a throw-away account and use that to log into Pokémon, not your private or business account .
As always, Think Before You Click!