Pokemon GO security: gotta catch ’em all


Pokemon GO has been downloaded more than 10 million times on the US Google Play Store alone. It’s the biggest app sensation around; bigger even than Tinder and earning millions per day by way of in-game purchases. So here’s a Pokemon GO security round-up.

The game, also, has not escaped the attention of the bad guys. Pokemon GO has become, at once, a cause of security scares and the target of them.

It is tempting to think of Pokemon GO as some kind of virus itself, considering how far and fast this app has spread. It’s actually just another augmented reality game, albeit a hugely successful one.

If you want to know how to play it then head over to YouTube for some hints and tips. If you want to know how it has impacted in security terms this last week, stay right here.

First there are the fake apps. Or rather, the malicious versions of the app that contain a backdoor. These are being downloaded from untrusted sources.

“Jailbreaking devices or installing apps from unofficial or untrusted sources is a recipe for letting the fox into the henhouse,” says Javvad Malik, Security Advocate at AlienVault.

DroidJack gives attackers complete access to mobile devices

“DroidJack gives attackers complete access to mobile devices including user text messaging, GPS data, phone calls, camera – and any business network resources they access,” warns Kevin Epstein, VP of the Threat Operations Centre at Proofpoint.

“This makes both the practice of side-loading applications and the presence of apps like the malicious version of Pokemon GO especially concerning,” Kevin concludes.

There seems little doubt that the version that Proofpoint discovered, complete with the DroidJack backdoor to enable control over the host device, will not be the last.

All that said, ESET researchers have also discovered fake apps on the Google Play Store itself targeting Pokemon GO fans. These include a fake lockscreen app called Pokemon GO Ultimate and two scareware apps; Guide & Cheats for Pokemon GO and Install Pokemongo.

All of these fake apps have been removed following ESET intervention.

As long as the world continues to play Pokemon GO the bad guys will continue to target it. As long as the media continue to obsess over it as good SEO material, well, ditto.

While developers Niantic had nothing to do with the DroidJack compromised version of Pokemon GO, they were guilty of permission creep. This is where an app requests far more by way of user permissions in order to install than is either required or reasonable.

In the case of Pokemon GO, Niantic has admitted it got the permission requests wrong but insists no user information has been accessed inappropriately.

Niantic has admitted it got the permission requests wrong

“Mobile apps are notorious for requesting excessive permissions,” Javvad says, “in this case, it appears as if it was a failing on behalf of Google in allowing an app to not only request admin privileges, but doing so without displaying a prompt to users.”

If all that weren’t bad enough, Pokemon GO players have been seeing service disruption. At first it was thought that this was simply a question of scale: too many players were slowing the network down.

Then it became clear that actually the Nintendo-Niantic servers had been suffered a DDoS attack. This sadly isn’t overly surprising given how, as Stephanie Weagle, Senior Director at Corero Network Security says, “the online gaming industry is highly susceptible to DDoS attacks.”

This is due to the competitive nature of the games themselves, Stephanie insists, adding that monetary gains or the notion that organised cyber crime syndicates can “grab headlines with their successful attacks” also comes into play.

Ofer Gayer, Product Manager for DDoS at Imperva, adds that “gaming platforms like Pokemon GO are highly sensitive to latency and availability issues,” which makes them ideal targets for DDoS. “Mitigating DDoS on game servers is a particularly complex task,” Ofer warns.

Especially when you consider that gamers are pretty sensitive to latency issues. “This can be affected by multiple factors,” Ofer says, “most prominently the distribution of scrubbing locations and time to mitigate.”

Hacking group PoodleCorp has taken responsibility for the Pokemon GO DDoS, although no motive has yet to surface.