Just days after the Pokémon GO mobile game was launched in Australia and New Zealand, fake apps leveraging its popularity to infect users with malware started to emerge, and the threat continues to hit users via social media accounts, Proofpoint researchers warn.
In July, a malicious Pokémon GO application packing the remote access tool (RAT) DroidJack emerged, but that was only one example of threat actors abusing the popularity of the game for their benefit. This malicious program was never observed in the wild, but researchers soon discovered malware such as a Pokémon GO lockscreen and scareware masqueraded as guides and cheats for the game.
Pokémon GO continues to remain a highly popular mobile app, and cybercriminals have found a new method of compromise by heading to social networks such as Facebook, Twitter, and Tumblr. According to Proofpoint, there are 543 social media accounts related to Pokémon GO at the moment, and over 30% of them, or 167, are fraudulent.
The actors behind these accounts are using various techniques to compromise users. According to Proofpoint, 44 of the fraudulent accounts contained links to download files, many purporting to be Pokémon GO game guides. Furthermore, 79 were found to be imposter accounts, and 21 accounts promised “free giveaways.”
Although the Pokémon GO hype started on mobile, malware that abuses the popularity of the game is targeting desktop platforms as well. When analyzing the social media accounts offering files for download, researchers discovered that they were affecting both mobile and desktop platforms by linking to adware, malware or software other than the one advertised.
“It’s important to note that while we have seen at least three malicious versions of Pokémon GO, social media is also driving users to install Android APKs, which happen to be malware, as shown in Figure 2. Power ups, guides, and walkthroughs are all common and easy ways to draw users’ attention as these are compelling tools that help players in the game,” Proofpoint researchers explain.
The main issue is Pokémon GO’s popularity can be abused to compromise enterprise networks, because the game can be found on devices connected to corporate environments as well. “4.5% of devices across the organizations we surveyed had Pokémon GO installed, including a small percentage of them (4%) running early versions of the game that had no patch for the Google permissions issues,” Proofpoint notes.
The prevalence of potentially risky apps related to Pokémon GO on corporate networks is more problematic than the high popularity the game enjoys. Niantic, the company developing Pokémon GO, has already warned of add-on map apps that scrape servers for data, and malicious apps related to the game have already been detected in US app stores and have been distributed to users.
Pokémon GO provided cybercriminals with the opportunity to launch a full suite of attacks: compromised apps, fraudulent social media sites, phishing social posts, mobile malware, and more. The 167 fraudulent social media accounts are only the tip of the iceberg when it comes to the risks, scams, and malware that users are exposed to.
“These accounts exist to make a statement or extract money from users who are not cautious enough to avoid them or lack security tools to protect themselves from social media threats and risks,” Proofpoint says. “The popularity of Pokémon GO has created many opportunities across social and mobile ecosystems for threat actors to target players and fans of the application.”
At launch, the application requested excessive permissions on Google accounts, and that represented yet another issue, especially when considering that the game was being installed on devices used within corporate networks. Now, all individuals should exercise caution when interacting with communities related to Pokémon GO, because they are exposed to diverse and numerous potential threats.
“More generally, though, Pokémon GO serves as a ready example of the ways in which cyber attackers will use popular phenomena to go after new targets. As the popularity and novelty of Pokémon GO eventually wanes, attackers will be looking for the "next big thing," exploiting attention on the holidays, presidential elections, major sporting events, and more,” Proofpoint concludes.