Pokémon Go spawns over 200 'PokéMalware' clones

Pokmon Go has spawned more than 200 malicious impostors since its launch, researchers have discovered.

Over the first 24 hours of the game's UK launch, eight unofficial clones of the app were released every hour, according to security company RiskIQ.

Within 24 hours, the total number of unofficial apps was 215, released by 70 unique developers across 21 app stores.

These unofficial clones can be highly dangerous, however, as RiskIQ EMEA vice president Ben Harknett pointed out.

"Approximately half of these unofficial apps are requesting broad permissions from users, risking data exposure via mobile devices," he said.

Further examples of this 'PokMalware' were discovered lurking on the Google Play Store by cybersecurity firm ESET. 'Pokmon Go Ultimate' is an instance of lockscreen malware, which forces the user to reboot the device, before hiding in the background and clicking on porn ads.

"Pokemon Go Ultimate is the first observation on Google Play of lockscreen functionality being successfully used in a fake app," explained ESET malware researcher Luk tefanko.

"As its ultimate functionality is clicking on porn ads, it's not truly damaging. But as for its lockscreen functionality, it'd only take adding a ransom message to create the first lockscreen ransomware on Google Play," he added.

Other 'scareware' apps including "Guide & Cheats for Pokemon Go" and "Install Pokemongo" were also discovered. This malware tricks users into giving up their personal information and agreeing to receive virtually endless telemarketing - often at great cost to the user themselves - in exchange for in-game items.

The examples discovered by ESET were removed form the Google Play Store after being identified by the company, but tefanko warned that some users may still be at risk.

"Pokmon Go is such an appealing game that despite of all the warnings by security experts, users tend to accept the risks and download anything to catch all the Pokmon," he said.

"Those who really can't resist the temptation should at least follow the most basic security rules."

08/07/2016: Fake Pokemon Go app lets hackers access your smartphone

A malicious app masquerading as Pokemon Go could give hackers full access to victims' phones, security researchers have discovered.

Pokemon Go is an augmented reality smartphone game based on the popular Nintendo property, that lets users collect Pokemon based on their physical location.

Experts from Proofpoint discovered a Pokemon Go APK containing the DroidJack remote access kit on VirusTotal, a repository for malware and compromised apps.

Pokemon Go has reached the top of the App Store charts in the US, and has generated widespread attention. However, it is still unavailable in territories including Europe.

This has led some users to install a non-official version of the app, via a process known as 'side-loading'. This involves installing apps from sources other than the Google Play store, which can infect your phone with malware.

"Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never advisable," the company wrote in a blog post.

"Official and enterprise app stores have procedures and algorithms for vetting the security of mobile applications, while side-loading apps from other, often questionable sources, exposes users and their mobile devices to a variety of malware."

Although Proofpoint has yet to observe the malicious version of the app in the wild, the company noted that it was still a significant discovery.

"It represents an important proof of concept, namely, that cybercriminals can take advantage of the popularity of applications like Pokemon Go to trick users into installing malware on their devices," Proofpoint said.

"Bottom line, just because you can get the latest software on your device does not mean that you should."

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.