Pokemon Go has generated huge interest around the world. Despite only being launched in a limited amount of regions, the game has been installed millions of times in less than a week. On July 8, Pokemon Go was installed on twice as many US Android devices as the dating app Tinder was, and its daily active users were nearly as big as Twitter’s.
Cybercriminals have noticed the hype, creating social media scams and Trojanized versions of the app to take advantage of Pokemon Go players. Other users have developed ways to cheat at Pokemon Go, such as spoofing GPS locations. The official app was also hit with controversy over privacy issues related to the permissions it requests.
In light of these reports, we take a look at the security issues surrounding Pokemon Go and how you can protect your device.
Free PokeCoin scams
Pokemon Go has in-app purchases, where users can spend real money to buy a virtual currency called PokeCoins. Players can spend the PokeCoins on items, such as incense to lure Pokemon to their location or eggs that could hatch rare Pokemon. Some users may try to bypass this system by searching for discounted or free PokeCoins online. Unfortunately, scammers have prepared for this scenario.
If a user searches for “Pokemon Go free coins generator”, they’ll find links that lead them to classic survey scams. These links are widespread across the internet, from posts on gaming forums to dedicated scamming sites. The majority of fraudulent results are posts on social media sites or videos with alleged proof that the PokeCoin hacking tool works.
Figure 1. Scam site asks users to confirm they are human before they can access a non-existent PokeCoin hacking tool
Once the user arrives on the scam site, they are asked for their Pokemon Go user name and the amount of coins they want. So far, no scam we’ve seen asks for the user’s Pokemon Go password. Some scams claim to have additional features, like a special anti-ban guarantee. However, the site simply plays a video before asking for the final task: the “human verification.”
This verification process requires the user to fill in surveys, install applications, or sign up for services. If the user follows the scammers’ instructions, they don’t receive free PokeCoins. Instead, the scammers earn money for the user’s participation through an affiliate program. According to the statistics of the scams’ shortened URLs, a few thousand people have clicked on each link.
Figure 2. PokeCoin scam asks user to verify that they are human
Other scammers ask the user to manually share a message on Twitter or Facebook in order to receive free PokeCoins. However, no matter how many times the user spreads the message, they’re never receive any PokeCoins. We have found hundreds of these messages with varying URLs posted on social media sites. As stated in the 2016 Symantec Internet Security Threat Report, similar Manual Sharing scams made up 76 percent of social media fraud in 2015.
Trojanized Pokemon Go apps found on unofficial channels
Pokemon Go has not officially arrived in most regions yet; in the app’s first week, it was only available in the US, Australia, and New Zealand. The limited launch prompted users with Android devices or jailbroken iPhones to download the app from unofficial sources.
Attackers capitalized on this demand, creating Trojanized versions of the game targeting Android devices. As previously reported, malware authors disguised a remote access Trojan (Android.Sandorat) as Pokemon Go. The threat was distributed on various download sites and gaming forums. If the malicious version of the app is installed, it displays the Pokemon Go start screen, making users assume that nothing is amiss. However, the threat gives the attacker complete access to the phone.
Pokemon Go cheaters
Outside of malicious activity, players have been found trying to cheat the game to catch or hatch more Pokemon without walking around outside.
Some have used creative methods to do this, such as sticking their mobile device on toy trains, ceiling fans, dogs, or drones to make the app think that the user is moving. Others spoofed their GPS locations, with readily available apps that can be installed on rooted Android devices or jailbroken iPhones. This tricks Pokemon Go into thinking that the user is in a different location, which may have rare Pokemon.
Similar tricks were used by players of the augmented reality game Ingress, which was developed by the Pokemon Go maker Niantic three years ago. Niantic appears to have expected this to happen in Pokemon Go too, as the company is reportedly giving hour-long bans to players who use GPS spoofers. While we haven’t seen attackers disguise their malware as GPS spoofers yet, it could happen as the Pokemon Go userbase grows.
There are other ways users could cheat at Pokemon Go. The app currently doesn’t use certificate pinning. This means the game only checks if the server certificate is trusted, but not if it is the expected original one. This could allow a user to install a self-created trusted certificate on their phone and intercept the communication with a simple man-in-the-middle (MITM) proxy. While this method can’t be used to launch attacks against remote devices, it could be used to identify vulnerabilities in Pokemon Go’s backend API, potentially leading the user to automate or modify requests to get more items.
Permissions and privacy
Niantic became the focus of some security questions, after people realized that it requested a lot of permissions, including full access to their Google accounts. The company stated that it only accessed basic account information. It released an update of the app which requests fewer permissions.
Even with this update, Pokemon Go still generates a lot of data, like location profiles and movement patterns, as described in the game’s privacy policy. The gathered data might increase even further when Pokemon Go Plus, the companion Bluetooth LE wearable device that connects to mobile devices, is used. We have discussed the risk of tracking wearables in the past. In this research, we found that some Bluetooth LE devices can be tracked or can leak data. As Pokemon Go Plus isn’t out yet, we can’t yet determine whether this device will face the same issues.
Staying safe in the real world
One of the best things about Pokemon Go is that it’s encouraging people to go outside and get fresh air and exercise. However, there have been reports of people injuring themselves due to not paying attention to where they walk and criminals luring gamers to locations with Pokemon and robbing them. The app advises users to pay attention to their surroundings when they play. Users should also avoid going to isolated or poorly lit areas alone while playing the game.
The Pokemon Company has stated: "We encourage all people playing Pokémon GO to be aware of their surroundings and to play with friends when going to new or unfamiliar places. Please remember to be safe and alert at all times."
Mitigation
As for mobile security issues, users should adhere to the following advice to ensure that they reduce the risk of these attacks:
- Avoid downloading Pokemon Go from unofficial marketplaces, as attackers can use these sites to deliver malware disguised as legitimate apps
- Install the Pokemon Go update that removes the request for full access to Google accounts
- Stay away from game-cheating tools, as they could be fraudulent or may contain malware
- Keep your smartphone's firmware updated to prevent vulnerabilities from being exploited
- Use strong and unique passwords for your Pokemon Go account
- Pay close attention to the permissions that apps request
- Install a suitable mobile security app, such as Norton, to protect your device and data