Kaspersky Lab experts have discovered a new malicious App on the Google Play store, Guide for Pokémon Go, which is said to be capable of seizing root access rights on Android smartphones and using that it can install/uninstall apps and display unsolicited ads.
The app has been downloaded more than 500,000 times, with at least 6,000 successful infections including devices in Russia, India and Indonesia, Kaspersky said in a press release.
Meanwhile, the Trojan has been removed from Google Play following its discovery.
The global phenomenon of Pokémon Go has resulted in a growing number of related apps and, inevitably, increased interest from the cybercriminal community. Kaspersky Lab’s analysis of the “Guide for Pokémon Go” Trojan has uncovered malicious code that downloads rooting malware, securing access to the core Android OS for the purposes of app installation and removal as well as the display of advertising.
“The Trojan includes some interesting features that help it to bypass detection. For example, it doesn’t start as soon as the victim launches the app. Instead, it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual machine,” Kaspersky said in the press release.
It further added: “If it’s dealing with a device, the Trojan will wait a further two hours before starting its malicious activity. Even then, infection is not guaranteed. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the Trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.”
“In the online world, wherever the consumers go, the cybercriminals will be quick to follow. Pokémon Go is no exception. Victims of this Trojan may, at least at first, not even notice the increase in annoying and disruptive advertising, but the long term implications of infection could be far more sinister. If you’ve been hit, then someone else is inside your phone and has control over the OS and everything you do and store on it. Even though the app has now been removed from the store, there’s up to half a million people out there vulnerable to infection – and we hope this announcement will alert them to the need to take action,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.
People concerned that they may be infected with the Trojan should scan their device with mobile antivirus. If they are infected, there are tools available to help them remove the rooting malware, which can be a complex process.
In addition, Kaspersky Lab advises users to always check that apps have been created by a reputable developer, to keep their OS and application software up-to- date, and not to download anything that looks at all suspicious or whose source cannot be verified.