ThreatSTOP Blog

Know before you (Pokémon) Go

Written by amandamcadoo | July 11, 2016

The new big thing this week is: Pokémon. After being out of the pop-culture spotlight for years, Pokémon Go has grabbed the attention (and wallets) of the masses. The app, which launched last week, quickly became a viral phenomenon, topping download charts in the United States, Australia and New Zealand. With current estimates showing that around five percent of all Android users in America have downloaded the app.

The wild popularity of Pokémon Go may have led to it becoming a victim of its own success. Server issues aside, the game instantly became a target for attackers keen to take advantage of the trend, and shortly following the official release, a malicious Pokémon Go app containing the DroidJack RAT (remote access tool) was released. Players eager to get their hands on the game—the primary targets for the attackers, whom struck in countries where the game had not been made officially available—downloaded the compromised version of the game from various sites that specialize in unofficial Android executable files (.APKs).

The infected version of the Pokémon Go app bypassed Android device security by requiring a sideload install. That is, the .APK file needed to be downloaded from a third-party website, and then copied into the device. This circumvented security conventions provided by Google's Play store, and allowed an easy vector for the attackers to exploit. Sideloading apps is not a new practice, Android users—particularly developers—have been able to do this since the devices were released. The reason for this loophole in security is to allow developers (and advanced Android users) to load applications that have not been signed by Google's Play store into their devices for testing or use. Unfortunately in this case it also allowed attackers to exploit the mass interest in Pokémon Go, a staged release cycle, and human anticipation to allow for malware to be installed.

The malware in question is an evolution of the SandroRAT software, developed by the same group that made the original DroidJack app. DroidJack actually started life as a legitimate application to allow family members to track one another. DroidJack has maintained similar functionality to its predecessor, and is behaviorally similar to Dendroid, another RAT.

While it may be that your network is secured from the outside, that may not apply to the inside. The reality today is that people bring their personal devices to work all the time. When those devices—be they smartphones, laptops, or any other device—are linked into your network, it opens the door to a malware infection. The only way to be truly safe is to stop threats from communicating with their command and control infrastructure, and immediate threat remediation upon detection.