Hackers have been quick to try and capitalize on the immense popularity of augmented reality smartphone game Pokemon Go.

The first malware linked to Pokemon Go was spotted online earlier this month, but never made it onto the official Google Play store. This limited its threat, but a new group of malicious apps present a greater security risk.

Pokemon Go Nintendo
Image Credit: Nintendo

Fake apps hook in Pokemon Go players

The new apps hook users in by promising to provide tips and cheats, among other functions. They contain malicious code that hijack users’ phones to click porn ads, or trick them into buying expensive bogus services.

Security researchers at ESET Mobile Security were responsible for discovering the apps. One is a lockscreen app called “Pokémon Go Ultimate,” while others include “Guide & Cheats for Pokémon GO” and “Install Pokémongo.”

When ESET found the apps they were still live on Google Play, but they were later removed by Google.

Dangerous malware promises in-game items

Researchers say that “Pokemon GO Ultimate” looked like the normal game, but would cause the screen to lock after startup. Rebooting would not solve the problem, and users had to pull their battery out or resort to using Android Device Manager.

Pokemon Go fake apps

However after reboot the app continued to run in the background and would click on porn advertisements. The only way to uninstall was to use Android Settings to remove the app manually.

Hackers could have put the app to far worse use, for example by adding a ransom message. If they had done so it would have been the first time that lockscreen ransomware had been seen on Google Play.

The other apps did not hijack phones, but encouraged users to subscribe to unnecessary services using “scareware.” They promised to generate up to 999,999 valuable in-game items like Pokécoins, Pokéballs or Lucky Eggs for Pokémon Go if users verified their accounts.

When users provided their details they would be bombarded with pop-ups which told them that their device had a virus and needed to be cleaned. Providing details here would sign them up to SMS subscription services and other expensive functions, depending on where they were based.

More malware likely to appear online

None of the apps lasted long before being removed from Google Play, and didn’t attract many victims as a result. “Pokémon Go Ultimate” reached 500 – 1,000 users, “Guide & Cheats for Pokémon Go” reached 100 – 500, and “Install Pokemongo” attracted 10,000 – 50,000 victims, according to ESET.

While these numbers may be low, it is still worrying that they were able to make it on to Google Play. While Apple keeps strict control of the apps that are included on its App Store, Google has become known for more lax security procedures. However the company did claim last spring that apps were now verified by human agents rather than automated systems.

Google usually reacts quickly when malicious apps are flagged, but has been criticized for allowing adware and scareware to go live. The popularity of Pokemon Go means that there will likely be many more fake apps appearing online, and Google should act to prevent users falling victim to scammers.

As it stands it is best to refrain from installing third-party Pokemon Go apps. While you may want to get out there and catch them all, it makes no sense to do so at the expense of your online security. If you insist on playing, do so on the official app in order to stay safe.