Skip to main content

Pokémon Go Malware Targets Impatient Mobile Gamers

Bulbasaurs and Snorlaxes aren't the only things some Pokémon Go players might be catching on their Android phones.

Security firm Proofpoint reports that its researchers have spotted an infected form of the immensely popular augmented-reality game in an online malware repository. (Intel Security, also known as McAfee, independently found the same corrupted app.) The pirated Pokémon Go secretly harbors the DroidJack malware, which can completely hijack a victim's phone.

Credit: Sam Rutherford, Kenneth Butler/Tom's Guide

(Image credit: Sam Rutherford, Kenneth Butler/Tom's Guide)

Anyone trying to "side-load" Pokémon Go — and there will be plenty of people who do, as the game has so far been released only in Australia, New Zealand and the United States — runs the risk of giving full control of their device to cybercriminals.

MORE: Best Android Security Apps

ProofPoint found the infected Pokémon Go early in the morning of July 7, the day after its release in the three countries described above. So far, there haven't been reports of it in the wild, but that may just be a matter of time.

The problem is that Pokémon Go is free, immensely popular, largely unavailable — 95 percent of the world's population doesn't yet have legal access to it — and nevertheless attainable by inadvisable means. (The game has swamped Nintendo's servers, and the rollout to other countries has been delayed as a result.) It's a perfect opportunity for cybercriminals.

We can't tell you how stupid it is to sidestep territorial restrictions and get Pokémon Go on your own devices. Please don't disable security on your Android phone by allowing apps from "unknown sources," or then go to an unauthorized Android app repository.

First of all, unless you're an app developer, you should NEVER turn off the "Unknown sources" blocking on your Android phone. That is just going to open you up to a world of hurt. 

Second, you should never trust off-road app repositories, even if they seem to be on the up-and-up. Google itself has a hard time policing its own app market — how much better is a third-party distributor going to be?

(It's also possible to create a fake iTunes account in Australia, New Zealand or the U.S. to download the iOS version of Pokémon Go. That's less risky than side-loading an Android app, but iOS malware does exist, and this process may violate Apple's terms of service.)

Pokémon Go has also been linked to routine online spam campaigns, including one that promises an insane amount of in-game coins if you'll just take the time to respond to a quick online survey. Of course, there are no coins once you complete the questions. That's fairly harmless, but it's just a matter of time before the spammers move on to distributing malware or conning you into disclosing your personal information.

Our advice is: If you're not in the U.S., Australia or New Zealand, wait until Pokémon Go is officially released in your country. Then grab a legitimate copy from your platform's designated app market.