Malicious Pokémon Go App Full of Malware

Ray Walsh

Ray Walsh

July 12, 2016

Pokemon Go’s augmented reality style gaming experience is taking the world by storm and has already added 10% ($9 billion in value) to Nintendo’s shares. Unlike Nintendo’s traditional games, which are usually for proprietary consoles, Pokemon Go is for smartphones and offers an exciting new form of gameplay that involves walking around in the real world to collect the in-game Pokemon creatures. So far, the game (developed by Niantic) has only been released in a few locations worldwide leading excited gamers everywhere to scour the Internet for a third party APK file.

Unfortunately, malevolent hackers aware of the sudden rush for the game have hidden a form of malware inside the pirated app that allows them to completely commandeer users’ phones. The malware is called Droidjack (or SandroRAT) and was discovered by security research company Proofpoint – who have now issued a dire warning to fans of the game telling them to wait for the official version to be released on the Google Play Store.

As Nintendo has suffered a few server issues since the game was rolled out in Australia, New Zealand, and the US earlier this week, there has been a slight delay to its release in the rest of the world.

For this reason,  gamers all over the world have been surging to download the APK file via unofficial means; inspiring malicious hackers to hide the powerful malware inside the Android APK file.

The infected version of the game can only be installed by overriding a phone’s security features giving it permission to install unverified third party apps. With that done, the APK installs with unusual permissions which allow the malware to start up automatically as soon as the user turns on their phone. Proofpoint explains on its websites why installing the third party APK is so unwise,

‘Unfortunately, this is an extremely risky practice and can easily lead users to installing malicious apps on their own mobile devices. Should an individual download an APK from a third party that has been infected with a backdoor, such as the one we discovered, their device would then be compromised.’

phone virus

What does the Pokemon Go Malware do?

The trojan horse allows hackers to use the Remote Access Tool (RAT) to quietly gain full control of the user’s phone. This includes looking at SMS messages, listening in on phone calls, recording audio with the microphone, granting access to and allowing modification of contacts, and the ability to see what the user is doing on their screen (and therefore steal passwords).

People who are worried that they may have downloaded the infected version of the Pokemon APK file are advised to check their app’s permissions for anything unusual  by going to: Settings; Apps; Pokemon GO.

If it does indeed have permission to make calls, alter contacts, access SMS messages, and auto load from power up, then it is likely you have been infected with the malware. Proofpoint also describes a method for checking the SHA256 hash of the downloaded APK file,

hashes pokemon goNext, Proofpoint explains that the startup screen of the infected Pokemon Go app looks identical to the real thing. This means that there is no way for users to know whether they have been infected unless they check for themselves (or else run the risk of suffering a loss of sensitive information).

A secondary security risk that has arisen from the popular game is linked to the gameplay itself, which makes people go to particular landmarks (in the real world) to collect the Pokemon creatures.

Due to the remoteness of some of those automatically selected locations (that are the same for every player) people have been falling prey to  muggers. Those opportunistic criminals have taken to waiting in certain Pokemon locations ready to mug fellow gamers of their phones and other personal possessions.

In Missouri, police arrested 4 teens in a black BMW following reports of a robbery. As the police approached the teens, the young men attempted to dispose of a firearm out of the window of the vehicle. Sgt Bill Stringer, the police officer on patrol made the following comment about how Pokemon Go was being used to lure victims,

‘Using the geolocation feature the robbers were able to anticipate the location and level of seclusion of unwitting victims.’

In more security related news to do with Pokemon Go, the game’s developer Niantic has been found to be collecting huge amounts of data about game players.

Because GPS is a necessary feature for playing the game, Niantic is exploiting the permission to collect data about where players have been, how they traveled there, how much time they spent there, and also who else was there at the time.

In addition to that data, Niantic asks for a number of other intrusive permissions when the game is installed. Your IP address, email address, and even the web page you visited prior to loading the game. Niantic apparently having decided that in order for gamers to catch all the Pokemon’s they must also have all their data stolen in return.

all seeing pokemon go

Orwellian Pokemon Go

Unbelievably,  any iPhone users that logged into the game using their Google account unknowingly also gave Niantic permission to view all their emails as well. The problem with that, of course, is that having read/write permissions would give cyber criminals access to the entire Gmail account, should they hack the game’s servers.

According to the game’s developer the outlandish permissions were, in fact, a coding error and since news emerged of the security risk they have been working hard to fix the problem – treating the situation as an emergency,

‘The Pokemon Go account creation process on iOS erroneously requests full access.

Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokemon Go needs,’ Niantic has admitted.

In addition, however, one reddit user has also flagged up parts of the ToS. Homer_Simpson_Doh has commented that he feels the privacy agreement is rather Orwellian, and it is hard to disagree.

 Pokemon Go invasive

Ashley Feinberg, for one,  feels that the highly invasive nature of the game’s  ToS is no coincidence. She explains that Niantic was founded by John Hanke, who himself has strong ties to the intelligence community via the US’ National Geospatial-Intelligence Agency,

‘Still unsure if Pokémon Go’s creator is a government spook?’ She writes, before commenting ‘Check out this excerpt from the NGA’s in-house publication, Pathfinder Magazine’,

‘Data is king. All hail big data. At a first glance, a big data solution may appear to be a silver bullet for an organization’s needs. Certainly, many sectors have urgent requirements that can be addressed with big data. Companies obtain customer information through avenues such as social media, mobile apps, and customer relationship-management software.’

Feinberg comments that ‘they might as well be talking about Pokémon Go itself,’ and the connection certainly doesn’t appear to be too big a stretch of her imagination.

Use a VPN to get the official Pokemon Go

A final point of interest : Some people that wanted to avoid downloading the infected version of the APK (but were too desperate to wait for the official release) have been using a VPN service to appear to be in a place where it is available.

By doing so they appear to genuinely be in the foreign country where Pokemon Go is available: Allowing them to download the official version of the game (called spoofing).

Below is a guide for signing up to the US iTunes and Google Play stores for anyone interested in doing so.

Use US iTunes Store

US iTunes storeSigning up to a US iTunes account is easy but you will need to choose a VPN service (via a US based server) and go get a new account. You will need a valid US email address (just sign up for a new Gmail account once you are connected to your VPN service).

Turn on US apps

If you use a VPN to connect from a US IP address, US only apps should appear automatically. If not, however, turn them on by going to:

Settings -> iTunes Store -> Location -> United States

Setting up a US validated payment method

Unfortunately, you may require a US payment method (which is the trickiest part of the process). If you have a credit card then you might be able to register it using the following method:

  1. Use the digits (not letters) of your postcode e.g. if your postcode is BS4 5DR, use 4 and 5
  2. Add zeros to it until you have 5 letters e.g. 45000
  3. Go here to check whether the zip code is valid
  4. If it is not, add one to the last digit until you get a valid zip code e.g. 45001, 45002 etc.

If this doesn’t work (and you get a ‘Please check that your ZIP corresponds to your billing address’ message), then you can set up ‘virtual US credit card’ account with EntroPay (4.45% on loads), which should work for you.

Unblock US Google Play Android Store with VPN

In order to get a US Google Play account you will need access to a US IP address: For this, you will require a VPN service. Using a VPN makes Google Play store falsely believe that you reside in the US: Allowing you to access to full US version (referred to as spoofing).

So, to recap, in order to gain access to the US Google Play store:

  • Find a VPN that works for you and subscribe
  • Install and download the VPN app
  • Choose a US based server
  • Enjoy full access to the US version of Google Play store

Update 07/13/2016

Pokemon Go developer Niantic has now fixed the iPhone ‘code error’ that was giving the app access to users’ Google Accounts, including their entire Gmail account. Niantic’s new permission request only asks for ‘basic Google profile information, in line with the data that we actually access.’ Anybody playing Pokemon Go on an iPhone who hasn’t yet done so should log out of the game and then log back on to get the update.

After updating be sure to check that the app has scaled back its access to your Google Account by going to Google’s My Account website – ‘’

Now select : ‘Connected apps & sites’  -> ‘Manage apps.’ If for any reason the app does still retain full access to your account be sure to cancel it manually on that page. The update, however, should work.

Android users, who were not affected by the coding error remain unaffected by the official Pokemon Go application, but should still make concerted efforts to check for malware if they got the app from an unauthorized third party source.

Other privacy issues, revolving around Pokemon Go’s amassing of user’s locations, movements, method of traveling, as well as their IP address and the web page they visited before playing the game still remain. Niantic’s privacy policy.


Ray Walsh

I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR. I am an advocate for freedom of speech, equality, and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood, and love to listen to trap music.

2 responses to “Malicious Pokémon Go App Full of Malware

  1. I’m not a fan of Pokemon, but I have some bad and good news for Android users.

    Your method about accessing the US version of Google Play Store with a VPN may not always work. I think trying to make an in-app purchase will lock your Google account to your country (my main account appears to be locked to Poland). The easiest workaround for this is creating a new Google account for the US by using any US address (I also have an accoun for the UK). Then go to Settings, clear data of the Play Store, use a VPN and you should get access to the US Play Store. BTW, there is a way to lock you new Google account to ths US, allowing you to access US Play Store without using a VPN in he future. Try to purchase free content (like a book) which requires details of your credit card. Even a failed purchase will be enough. I cannot guarantee working purchases (including in-app purchases in Pokemon Go) – for some reason my Polish credit card almost always isn’t accepted by the US version of the Play Store, but works fine in the UK version.

    Also, in conclusion (if bypassing region locks sounds to complicated), I know a place where you should be able to download 100% safe Pokemon Go APK file:

Leave a Reply

Your email address will not be published. Required fields are marked *

Exclusive Offer
Get NordVPN for only
Get NordVPN for only