Have you downloaded a Pokemon Go guide app in the last few months? It’s possible that you downloaded devastating malware.
A popular Pokemon Go guide app with half a million downloads was recently caught hacking Android devices. The hack was discovered by researchers from Kaspersky Lab. The app, which goes by the vague name Guide for Pokemon Go, was widely available on the Google Play Store – but has since been taken down.
The app, according to Kaspersky’s blog post, used multiple layers of obfuscation to bypass Google Play’s malware detection mechanisms.
One of the key defense mechanisms is that the app contains a malicious module that doesn’t execute immediately: instead, the app waits until the user has installed or uninstalled another application. It does this to ensure that it’s being run on a real device – not an emulated environment like the ones researchers use to test malware.
After the app determines it’s running on a real device, it begins to go to work. It waits an extra two hours before executing its malicious module, which then connects to a remote server. The malware sends device-specific data to that server, and then the server responds by telling the module to download exploits that correspond specifically to vulnerabilities on that device.
The App Uses Root Exploits
One of the scariest parts about this malware is that it uses root exploits – which infect the lowest layers of your Android system.
In other words, if the malware is able to successfully compromise your system, it could be a full compromise of the device.
Now here’s the good news: the app only uses a library of exploits that were found on Android between 2012 and 2015. So if your device has received any major update since the end of 2015, you’re probably protected. Google has officially issued patches for all of the vulnerabilities found in the app.
Nevertheless, there are still plenty of Android users out there who never update their devices – or are using devices that never received the updates. This typically occurs on lower-end Android devices that aren’t part of the Google ecosystem.
Kaspersky reports that 6,000 infections have taken place thus far, with most victims being from Russia, India, and Indonesia. They did caution that the app is marketed towards English speakers and it’s likely that people in western countries have also been hit.
Other Apps in the Play Store Also Contained this Malware
The Guide for Pokemon Go app was the compromised app with the most downloads- but researchers found a variety of other apps that also contained the same malware. An app called Digital Clock, for example, had more than 100,000 downloads and contained the malware. Many other similarly-vaguely-named apps had approximately 10,000 downloads.
Keep your systems updated and avoid downloading suspicious-looking apps from the Play Store – even if they appear to have 500,000 downloads.