It’s a criminal move more devious than anything Team Rocket could ever think up. Half a million Pokémon Go players were tricked into downloading malware when they installed a phony app that pretended to be a guide to the popular mobile game.
The cybersecurity experts (and apparent Pokémon Masters) over at Kaspersky Lab explained the whole scam on their blog.
The offending app, “Guide For Pokémon Go,” was available for download on the Google Play store, and it was downloaded more than 500,000 times. According to Kaspersky’s analysis, the app successfully infected at least 6,000 of its victims’ phones with malware.
The Trojan worked by hiding compressed executable files behind legitimate Pokémon Go tips and tricks. After the app had been installed, the malware lay in wait, hiding like a Rattata in tall grass preparing an ambush. It stayed dormant long enough to determine if it was on a real phone or a device used by security experts to look for viruses.
Next, the Trojan sent a message to the cybercriminals who created it with information about the phone. The criminals could then order the app to install hidden software that would overload the victim’s phone with a near-constant stream of ads, but that’s only the start of what the “Guide For Pokémon Go” can do.
The app can install anything on an infected phone without the user’s permission, including software that can lock devices for ransom or directly steal money from any linked bank accounts.
The app was removed from the Google Play store, but it had already been downloaded 500,00 times. Kaspersky confirmed that there had been victims in Russia, India, and Indonesia, but noted that there were probably more around the world, especially because the app was in English.
It’s worth remembering that Pokémon Go has itself been accused of being malware, so this latest turn of events isn’t exactly shocking.
One thing’s for certain: “Guide For Pokémon Go” is certainly worse than MissingNo. ever was.