Fake Pokemon Go app contains Malware (RAT) takes full control of infected device

Fake Pokemon Go app contains Malware takes full control of infected device

ALERT FOR POKEMON GO APP USERS ON ANDROID — CYBER CRIMINALS HAVE UPLOADED A FAKE COPY OF POKEMON GO GAMING APP WHICH IS ACTUALLY INFECTED WITH RAT THAT HAS A UNIQUE CAPABILITY OF TAKING OVER THE SMARTPHONE!

The new Pokémon Go app was recently released for iOS and Android devices but who could have predicted that it would become such a massive hit that the developers will be facing server overload — But with fame comes haters and Pokémon Go caught the attentions of cyber criminals.

Pokémon Go app was released on July 4th in Australia and New Zealand and on 6th July in the United States while users in other countries were looking forward to a copy to enjoy the reality game and that’s when an IT security firm Proofpoint caught cybercriminals distributing an infected version of Pokémon Go’s Android app.

Researchers discovered the app has a specific APK which was altered to inject a remote access tool (RAT) called DroidJack or SandroRAT which upon installing allows intruders to take full control of user’s device.

DroidJack was first identified in 2014 by firms like Symantec and Kaspersky targeting users in India.

Although Google Play Store is full of the third party infected apps the key issue with the fake Pokémon Go app and what makes it a bigger threat is that the game hasn’t been released worldwide and users may be tempted to download any app at the first site without checking its authenticity. In order to install an APK users have to allow the device to allow side-loaded apps which allow malicious programs to install within.

If you have installed the fake Pokemon GO app then you have already allowed it to take pictures, videos, track your location, modify or delete the content on your device, view network connection, access Bluetooth settings pair with Bluetooth devices and even control vibration.

fake-pokemon-go-app-infected-with-rat-takes-full-control-of-users-device-2
Image Source: Proofpoint

Proofpoint also noted that upon installing, the app asks for user’s date of birth which is an indication that app itself is phony.

Image Source: Proofpoint
Image Source: Proofpoint

“Bottom line, just because you can get the latest software on your device does not mean that you should,” the company wrote. “Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.”

To avoid infecting your device with such software do not download third party apps as Google Bouncer (Google Bouncer is an automatic app testing system that detects inherent security issues of the device) is known for slow scanning of apps on Google Play Store.

The infected Pokemon GO APK has been modified in such a way that, when launched, the victim would likely not notice that they have installed a malicious application. Figure 4 shows the startup screen from the infected Pokemon GO game, which is identical to the legitimate one.

pokemon-fig4.png

Figure 4: Infected Pokemon GO start screen; it appears identical to that of the legitimate application

 

After inspecting the infected game further, when compared to the legitimate game three classes stand out that have been added by the attacker. Figure 5 shows the classes from the legitimate game while Figure 6 shows the classes from the infected game, including the following added classes:

  • a
  • b
  • net.droidjack.server

Furthermore, this DroidJack RAT has been configured to communicate to the command and control (C&C) domain pokemon[.]no-ip[.]org over TCP and UDP port 1337 (Fig. 7). No-ip.org is a service used to associate a domain name with a dynamic IP address like that generally assigned to home or small business users (as opposed to a dedicated IP address), but is also used frequently by threat actors, along with other similar services like DynDNS. At the time of analysis, the C&C domain resolved to an IP address in Turkey (88.233.178[.]130) which was not accepting connections from infected devices.

pokemon-fig5.png

Figure 5: Legitimate Pokemon GO classes

 

pokemon-fig6.png

Figure 6: Infected Pokemon GO classes with highlighted malicious classes

 

pokemon-fig7.png

Figure 7: Hardcoded C&C domain and port

 

Conclusion

Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never advisable. Official and enterprise app stores have procedures and algorithms for vetting the security of mobile applications, while side-loading apps from other, often questionable sources, exposes users and their mobile devices to a variety of malware. As in the case of the compromised Pokemon GO APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk.

Even though this APK has not been observed in the wild, it represents an important proof of concept: namely, that cybercriminals can take advantage of the popularity of applications like Pokemon GO to trick users into installing malware on their devices. Bottom line, just because you can get the latest software on your device does not mean that you should. Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.

 

Source: Proofpoint, hackread

Leave your vote

692 points
Upvote Downvote

Total votes: 0

Upvotes: 0

Upvotes percentage: 0.000000%

Downvotes: 0

Downvotes percentage: 0.000000%

Written by Lauren Brien

Feel free to share your idea, post, comment, video, improve existing posts and vote for the best one.

Collaborate & stay connected.

Leave a Reply