Augmented reality is a growing trend in the technology industry, and perhaps one of the best known uses of it today can be found in the extremely popular mobile device app, Pokemon Go. However, hackers have seized the opportunity to infect players who want to “catch ‘em all” with a backdoor called DroidJack – something that certainly won’t help gamers “be the very best.”

The Pokemon series has long been known as one of Nintendo’s most popular gaming franchises, and with the release of Pokemon Go, the series has finally made its way to everyday mobile device users. It’s currently ranked as the #1 most downloaded free app on the Apple Store, as well as the Google Play store. The game was such a hit that Nintendo’s stock increased exponentially overnight, and the app has over 26 million users worldwide – more than Tinder, Twitter, Google Maps, and other mobile apps.

However, like many extremely popular things, hackers have taken this and exploited it to do their bidding. Prior to the app’s release worldwide, many impatient fans downloaded the APK (Android application package) from third-party websites and “side-loaded” it onto their devices. This can only be done by going into Android’s settings and allowing app installation from unknown sources. Normally, this is a red flag for any security-minded mobile device user, as some malware is known to infect devices and download apps without the permission of the user; yet, some Pokemon fans just couldn’t wait, and downloaded the APK without thinking of the consequences; like downloading a backdoor.

Considering how many countries outside the United States, Australia, and New Zealand, are still waiting for access to Pokemon Go, many have chosen to just use the APK to get the app on their device, rather than wait for the official release. One particular source of the APK provides a modified version of Pokemon Go that, upon installation, installs a backdoor onto the device, which allows for remote access to the device and provides full control over the victim’s phone. The infected version of Pokemon Go is so well-done and inconspicuous that the user likely won’t know that their device has been infected. Security firm Proofpoint suggests that it’s entirely possible that, should infected devices connect to your network, networked resources can also be put at risk.

Take a look at the DroidJack-infected app’s permission request, and see for yourself just how strange they might look.

https://www.proofpoint.com/sites/default/files/users_content/10/pokemon-fig2.png
https://www.proofpoint.com/sites/default/files/users_content/10/pokemon-fig3.png

When downloading any app, it’s crucial that you drive this best practice into the heads of your employees: be sure to pay attention to the permissions required by the apps that you download. For example, there’s no real reason why Pokemon Go would need to make phone calls, edit and send text messages, modify your contacts, and record audio. All of this is just asking for disaster. While exploitation of the APK hasn’t been observed in the wild, it represents a dangerous development in mobile applications, one which shows hackers taking advantage of wildly popular smartphone apps, and turning them into catalysts to spread their malware and influence.

There are two lessons to be learned. Don’t download apps from unknown sources, even if they’re just games, and make sure that your employees know what your policy on mobile apps is on your in-house network. Also, be sure to examine a new app’s permissions, and only download them from the Apple store or Google Play store. Among your millennial workforce, there may be many users of Pokemon Go, so it’s your responsibility to reach out to them, and educate them on these best practices.

After all, “Gotta catch ‘em all,” doesn’t refer to malware infections.