There have been reports of malicious Pokemon Go apps out in the wild since the game was released over a week ago, but more of them are popping out of the brush than Caterpies just out of Pallet Town.
According to security firm ESET, apps have been masquerading under similar Pokemon titles, attracting people looking for guides and cheats. Unlike the third-party version we reported on last week
that installed a backdoor on Android devices, the three identified by the firm were found in the Google Play store.
One app, called Pokemon Go Ultimate posed the biggest threat to people’s devices. While it resembled the game, it deliberately locked the screen of the device on startup. ESET warns that a simple reboot often won’t work as the app overlays itself over system windows. Users with a locked screen can pull out the battery or use Android Device Manager. However, even after a reboot, it still runs in the background, clicking on porn advertisements. You’d need to manually uninstall PI Network, which should appear in your application manager.
“Pokemon Go Ultimate is the first observation on Google Play of lockscreen functionality being successfully used in a fake app,” said Lukaš Štefanko, a malware researcher at ESET. As per the blog post, the app was used between 500 and 1,000 times before it was removed from the store.
The other two apps to be wary of are “scareware,” meaning that they trick users into paying for unnecessary services. In the case of “Guide & Cheats for Pokemon Go” and “Install Pokemongo,” users could’ve been tricked into signing up for phony services with the promise of generating Pokeballs or Lucky Eggs (apparently up to 999,999 per day because you can go through that many Pokeballs in a day). Both apps have been removed from the app store, but not before the latter got between 10,000 and 50,000 installs. The former only reached between 100 and 500 users.
While the apps have been removed from the Google Play store, it’s important to remind users that while Pokemon Go is amazing and the most popular app ever, it’s important to know what you’re putting on your device. Please don’t use third-party applications and, if you must download an app that promises to help you cheat, it most likely won’t.
However, if you absolutely have to give a random app a shot, then check reviews and its developer. If you see anything a little sketchy, flee! You’ll catch another Pokemon soon.
[Ars Technica via ESET]