Pokémon Go Mayhem: Privacy, Muggings, MalwarePolice and Security Experts Issue Warnings; Fixes on the Way
The Pokémon Go smartphone app, released last week, is already a smash hit, sending maker Nintendo's stock price soaring as the app gets installed on numerous iOS devices as well as an estimated 5 percent of all Android devices.
For anyone who's not au courant with the game, it uses augmented reality to display virtual creatures - in real-world locations, called Pokestops - that players can capture, train and trade. While only "officially" available in Australia, New Zealand and the United States so far, the app has also seen massive use by people in Brazil, India, Great Britain, Mexico, Spain and Turkey, among other countries, reports market researcher SimilarWeb. While the app is "free," it also allows for microtransactions via "Pokecoins," which can be collected inside the game or purchased using real-world cash.
Regardless, this geocaching game - meaning it's tied to real-world locations - is earning plaudits for getting kids, and older players, off the living room couch and into the real world as they seek out Pokémon and then take aim, via their screen, using a virtual ball designed to capture the critters. And the augmented-reality technology is well-tested. It's from Niantic, a Google spin-off that makes Ingress, which is a massively popular multiplayer game that allows players on opposing teams to capture virtual portals that exist in places of cultural significance, such as parks, museums and a variety of other real-world locations that were submitted by Ingress users. Nintendo is an investor in both Niantic and the Pokémon Company, which receives about 30 percent of Pokémon Go's revenues, according to the Financial Times.
But Pokémon Go has already hit several security and privacy-related speed bumps, and not all of them are virtual.
Arrest Report: Armed Robbers Created Pokestop
In Pokémon Go, players can meet up to do virtual battle, and police in O'Fallon, Mo., say that a group of four individuals apparently used that feature to lure other players to remote locations with the intention of robbing them.
Police said they responded to an armed robbery report at 2 a.m. on July 10, and arrested four suspects - one of whom was a juvenile - who were in a BMW. They also said they recovered a handgun. The adult suspects have been identified as Shane Michael Baker, 18; Brett William Miller, 17; and Jamine James D. Warner, 18. "It is believed these suspects targeted their victims through the Pokémon Go smartphone application," police said. The three adult suspects have been charged with first-degree robbery - a felony - and each had their bail set at $100,000 cash.
Responding to queries about how the suspects allegedly employed the app, the police department said via its Facebook page: "The way we believe it was used is you can add a beacon to a Pokestop to lure more players. Apparently they were using the app to locate [people] standing around in the middle of a parking lot or whatever other location they were in.
Police said that the functionality is a reminder to not give away one's location to strangers. "If you use this app - or other similar type apps - or have children that do, we ask you to please use caution when alerting strangers of your future location," police said.
Capturing Users' Google Data
Meanwhile, multiple security researchers have been warning that the Pokémon Go app has access to many more device permissions than it requires, thus posing a privacy risk. Some information security experts - such as Veracode CTO Chris Wysopal - have even been urging users to create "burner" Apple or Google accounts that get used only with the game.
If you are on iOS create a throwaway Google account to use with #PokemonGO, otherwise the game has access to your full Google account.— Chris Wysopal (@WeldPond) July 12, 2016
What specific privacy risks face Pokémon Go users? Security researcher Adam Reeve, a principal architect at security analytics platform RedOwl, on July 8 warned that Pokémon Go requires full access to a user's Google account, thus giving the app the ability to read a user's email, send email using their identity, access and delete all Google drive documents, review a user's search history, access private photos stored in Google Photos and more.
"Now, I obviously don't think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness," Reeve said.
Niantic has responded to Reeve's warning, confirming on July 11 that the iOS version of its app has been requesting full access permission for a user's Google account, due to coding errors. In a statement provided to gaming news site Polygon, Niantic says it's been "working on a client-side fix" that will restrict the data the app can see to only be a user's Google user ID and email address, which it says is all the app requires. "Google has verified that no other information has been received or accessed by Pokémon Go or Niantic," Niantic says. "Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."
Trojanized Apps Appear
Less than 72 hours after Pokémon Go was first released, attackers had already Trojanized a legitimate version of the free Android app to include malware and potentially released it via unofficial, third-party app stores, warn researchers at security firm Proofpoint.
The malicious Android application file "was modified to include the malicious remote access tool called DroidJack - also known as SandroRAT, which would virtually give an attacker full control over a victim's phone," the researchers warn in a blog post. While the app was spotted in a malicious-file repository service, they say, it's unclear how many people, if any, have actually installed this or some other Trojanized version of the app.
When the Trojanized Pokémon Go first appeared, the app had yet to be made officially available outside of the three aforementioned countries. But gaming websites had begun publishing instructions about how users could download the app, including using side-loading - evading Google's official app store - to install them. Anyone who installed a backdoored version, however, would likely be unaware, Proofpoint says, since it appears to behave normally, even when it's attempting to phone home to a command-and-control server. "In the case of the compromised Pokemon Go APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk," they note.
Anyone feeling the Pokémon Go "gotta catch 'em all" fever should stick to "officially vetted and sanctioned corporate app stores ... [which] have procedures and algorithms for vetting the security of mobile applications," Proofpoint recommends.