Malicious Pokémon GO application installs backdoor on your device
Remote access tools (RAT) are one of the most dangerous malware types. RAT provides attackers with full control over the victim’s system which allows them to remotely access files, private conversations, accounting data and other type of files on the victim’s device.
Wrapping popular applications with remote access trojans/tools is one of the methods used by cyber criminals to infect and control victim’s device. Recently discovered malicious file shows that attackers choose to take advantage of popular mobile game, Pokémon GO , for infecting target systems.
Pokémon GO, Nintendo’s new augmented mobile reality game became really popular since it was released last week. Using of device’s GPS function and camera to find a Pokémon around the neighborhood, interaction with social media to share pictures of Pokémon’s you found, playing this funny game with friends, and ofcourse Pokémon fans are the main reasons of this popularity. Even outages and connection problems reported and it’s international rollout has been paused because the application servers overloaded by players.
US-based security firm Proofpoint researchers found an infected Android version of this popular mobile game. The APK file (file format used for installing software on the Android operating system) they found was wrapped with dangerous remote access tool (RAT) called DroidJack.
DroidJack is a dangerous remote access and spying tool to obtain remote access and full control to victim’s device. It is also improved version of dangerous Sandro RAT, which discovered in 2013 by Symantec. Listening audio live from device’s microphone, accessing files or photos, viewing all the contacts, viewing messages are just basic functions of the RAT.
According to Proofpoint, the malicious APK file was uploaded to a malicious file repository service at 09:19:27 UTC on July 7, some 72 hours after the game was released in New Zealand and Australia.
So, the malicious application has not been spotted in the wild yet, but it could be a matter of time before it spreads. Because first of all, Niantic Inc, creator of the game, has paused international rollout of Pokémon GO due to intense server traffic, which makes the game currently available only in United States, Australia and New Zealand. This may lead some fans to search and install the game from alternate channels. And there is an option in the application settings on your Android device for sideloading applications from untrusted sources. Clicking the checkbox to “Allow installation of non-Market applications” modifies Android security settings and may allow an insistent/careless user to download this malicious application from third-party sources.
Unfortunately, this is an extremely risky practice and can easily lead users to installing malicious apps on their own mobile devices.. Should an individual download an APK from a third party that has been infected with a backdoor, such as the one we discovered, their device would then be compromised.
Also some malware campaigns may trick users to download this type of malicious applications from untrusted sources by introducing these applications as game items, tutorials, game cheating applications etc.
How to check if your device is infected?
The infected version of the game grants more permissions than the legitimate application. In Settings-Apps-Pokemon GO, you have to check Permissions section. If you see the outlined permissions in the pictures above, it means that your device is infected.
The other method is to check the SHA256 hash of the downloaded APK. The legitimate Pokémon GO application has a SHA256 hash of 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67 and the malicious APK file that analyzed by Proofpoint has a SHA256 hash of 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4.
What to do for prevention?
First of all, do not modify your Android device’s core security settings. Use a mobile antispyware and make sure it is up to date. Never download applications from third-party sources and always be aware of what you are downloading.
996 total views, 2 views today