It’s a criminal move more devious than anything Team Rocket could ever think up. Half a million Pokémon Go players were tricked into downloading malware when they installed a phony app that pretended to be a guide to the popular mobile game.

The cybersecurity experts (and apparent Pokémon Masters) over at Kaspersky Lab explained the whole scam on their blog.

The offending app, “Guide For Pokémon Go,” was available for download on the Google Play store, and it was downloaded more than 500,000 times. According to Kaspersky’s analysis, the app successfully infected at least 6,000 of its victims’ phones with malware.

The Trojan worked by hiding compressed executable files behind legitimate Pokémon Go tips and tricks. After the app had been installed, the malware lay in wait, hiding like a Rattata in tall grass preparing an ambush. It stayed dormant long enough to determine if it was on a real phone or a device used by security experts to look for viruses.

Rattata.
Rattata.

Next, the Trojan sent a message to the cybercriminals who created it with information about the phone. The criminals could then order the app to install hidden software that would overload the victim’s phone with a near-constant stream of ads, but that’s only the start of what the “Guide For Pokémon Go” can do.

The app can install anything on an infected phone without the user’s permission, including software that can lock devices for ransom or directly steal money from any linked bank accounts.

This is what the app looked like.
This is what the app looked like.

The app was removed from the Google Play store, but it had already been downloaded 500,00 times. Kaspersky confirmed that there had been victims in Russia, India, and Indonesia, but noted that there were probably more around the world, especially because the app was in English.

It’s worth remembering that Pokémon Go has itself been accused of being malware, so this latest turn of events isn’t exactly shocking.

One thing’s for certain: “Guide For Pokémon Go” is certainly worse than MissingNo. ever was.

MissingNo. was a glitch in the original Pokémon games.
MissingNo. was a glitch in the original Pokémon games.

Photos via Nintendo, Kaspersky Blog, OLM, Inc.

James Grebey is a writer, reporter, and fairly decent cartoonist living in Brooklyn. He's written for SPIN Magazine, BuzzFeed, MAD Magazine, and more. He thinks Double Stuf Oreos are bad and he's ready to die on this hill. James is the weeknights editor at Inverse because content doesn't sleep.