Scam Of The Week: Pokémon Malware, Muggings And Other Mayhem

Pokémon Go App Malicious VersionsIn case you just came back from vacation, there literally is a new craze going on with an augmented-reality smartphone app called Pokémon Go. It's a geocaching game, meaning it's tied to real-world locations. 

It's a smash hit sending people on the street, trying to catch virtual creatures in real-world locations -- called Pokestops -- that players can capture, train and trade.

However, the game's rapid rollout and breakaway success has its risks. It's from Niantic, a Google spin-off that makes Ingress, which is a very popular multiplayer game, but Pokémon Go has immediately hit several security and privacy-related speed bumps, and not all of them are virtual.

First: Muggings

In this game, players can meet in Real Life using the Pokestop feature to do virtual battle, and police in O'Fallon, Mo., say that a group of four individuals apparently used that feature to lure other players to remote locations with the intention of robbing them. Police said they responded to an armed robbery report at 2 a.m. on July 10, and arrested four suspects - one of whom was a juvenile - who were in a BMW. They also said they recovered a handgun.  Here are their mugshots, from left: Michael Baker, Brett William Miller and Jamine James D. Warner - accused of using Pokémon Go to lure victims.

Pokemon Go Mugging Suspects

Second: The Google Login Permissions Problem

Many security researchers have been warning that the initial release of the Pokémon Go app has access to many more device permissions than needed meaning a possible privacy risk. Some information security experts - such as Veracode CTO Chris Wysopal - have even been urging users to create "burner" Apple or Google accounts that get used only with the game.

Third: Trojanized Apps

Just 72 hours after the release of Pokémon, bad guys had Trojanized a legitimate version of the free Android app to include malware and released it via unofficial, third-party app stores, researchers at security firm Proofpoint said.

The malicious Android application file "was modified to include the malicious remote access tool called DroidJack - also known as SandroRAT, which would virtually give an attacker full control over a victim's phone," the researchers warn in a blog post. Gaming websites have begun publishing instructions about how users can download the app, including using side-loading - evading Google's official app store - to install them.

Proofpoint said: "In the case of the compromised Pokémon Go APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk."

Send this to your employees, friends and family:

You have probably heard about the new Pokémon app. It's going viral and sends people on the street to catch these little virtual creatures. There are some risks if you have the "gotta catch 'em all" fever. 


First, please stick to the vetted app stores, do not download the app from anywhere else. Why? Bad guys have taken the app and infected it with malware, and try to trick you downloading it from untrustworthy websites.


Second, anyone using the app, and especially kids should be VERY aware that they are not lured into a real-world trap which could lead to mugging or abduction. Other players can track you in the real world using this app so be careful.


Third, there are possible privacy issues if you use your Google account to log into the app. Create a throw-away account and use that to log into Pokémon, not your private or business account .


As always, Think Before You Click!

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc.



Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews