Pokemon Go has a huge security risk and can even contain malware

If you're a Pokemon Go player, you're going to want to pay close attention to this.

37

It looks like armed robbers aren’t the only thing Pokemon trainers have to be wary of during their Pokemon Go adventure. That’s because your version of Pokemon Go could be filled with malware and security risks.

Niantic has stopped the global rollout of Pokemon Go due to its unstable servers, leading many outside of regions where the game has launched to side load it to their mobile device by downloading it online, rather than through the official App Store or Google Play Store. Unfortunately, hackers are taking advantage of the current Pokemon Go craze by sneaking malware into these files.

This information comes from Proof Point who has discovered a remote access tool called DroidJack hidden within on Pokemon Go APK, which is capable of giving a hacker full access to your phone. If you downloaded the Pokemon Go APK outside of the Google Play Store, you should check to see if the following permissions have been granted:

In addition to the possibility of malware, it appears the Pokemon Go app itself is a huge security risk as it’s been discovered both the iOS and Android version of the game request full access to your account, instead of just your email address. That means Niantic has all of the information that you’ve put into your Apple and Google account without even realizing it, which could potentially become a big issue if the company were ever hacked. In fact, the company could read all of your email, send email as you, have full access to your Google Drive, access your private photos, and much, much more.

As of now, those who play Pokemon Go should revoke all access the game has to your Apple ID and Google accounts considering the risk Niantic is putting us all in. Hopefully the company will update the game to only access the minimum amount of information, or else millions of people will continue to have their full accounts available to Niantic without even realizing it.

Senior Editor
From The Chatty
  • reply
    July 11, 2016 12:20 PM

    Daniel Perez posted a new article, Pokemon Go has a huge security risk and can even contain malware

    • reply
      July 11, 2016 12:29 PM

      how does one go about limiting what they have access to on an android phone?

      • reply
        July 11, 2016 12:36 PM

        with the current version of android, when you launch the app for the first time it pops up an allow or deny prompt for every permission.

        • reply
          July 11, 2016 8:52 PM

          Settings -> Apps -> Pokemon GO -> Permissions

          You have to have the latest version of android to have selectable permissions though. The four options I have are Camera (on), Contacts (off), Location (on), and Storage (off).

      • reply
        July 11, 2016 1:47 PM

        Cyanogenmod let's you choose permissions

    • reply
      July 11, 2016 12:37 PM

      Shacknews, I like you. However, this is some Fox News level FUD shit.

      • reply
        July 11, 2016 8:34 PM

        No it's not. Mobile software is generally a huge security risk. People think "oh cute, an app" and don't check the permissions they're giving the software.

        As a PC user, would you download some dodgy .exe off the Internet and run it without even scanning it for viruses and malware?

    • reply
      July 11, 2016 12:53 PM

      Not a fan of the extreme clickbaity title. You're better than this Shacknews.

    • reply
      July 11, 2016 12:54 PM

      1 Weird Trick To Catching Them All. Your Local Gym Leader Hates This!

    • reply
      July 11, 2016 1:06 PM

      Don't read the article, ignore the clickbait (again? this is like the second or third one I've seen the past few months.)

      People who were desperate to get the APK for Android when it wasn't rolled out in their region yet downloaded from alternate sites, and some of these may have been contaminated with bad code. aka, clean that off your phone if you have it, and grab the Google Play version just to be sure.

      iPhones are not affected.

      POKEMON GO ITSELF DOES NOT HAVE ANY MALWARE.

      • reply
        July 11, 2016 1:45 PM

        Or.... DO read the article, and then read this, because this is the security hole it's talking about: http://www.shacknews.com/chatty?id=35180681

      • reply
        July 11, 2016 1:48 PM

        you're a clickbait >:(

      • reply
        July 11, 2016 1:53 PM

        iphones are not affected, lol. the game has a skeleton key to full access to the google account. on IOS.

        I didn't even think that was possible, but here we are. A zero-prompt pass through and the game plugs itself in to the entirety of your google account. a game. full access.

        • reply
          July 11, 2016 5:14 PM

          What is amazing is that almost no one gives a shit because game! pokemon! lol!

    • reply
      July 11, 2016 1:50 PM

      Good thing I'm an old person that couldn't be bothered to actually set up a login after downloading it!

    • reply
      July 11, 2016 2:03 PM

      But if you setup a non Google login it's fine? I assume that's what the Pokemon trainer club login is?

    • reply
      July 11, 2016 2:07 PM

      Hahah considering what a piece of shit the app is I'm really not surprised that something like this is true. Never attribute to malice what can be explained by incompetence though.

    • reply
      July 11, 2016 2:14 PM

      lol Android

      • reply
        July 11, 2016 2:37 PM

        Downloading apk from some shady nonofficial site, explicitly disabling security settings to allow installation of said unsigned software. Lol android?

        • reply
          July 11, 2016 2:44 PM

          Yeah, I'm not getting that.

        • reply
          July 11, 2016 4:18 PM

          Android makes it possible.

          • reply
            July 11, 2016 4:41 PM

            Which is fine, I prefer that. It also warns you pretty clearly every step of the way.

          • reply
            July 11, 2016 5:04 PM

            I hope you don't use any desktop operating systems.

            • reply
              July 11, 2016 5:07 PM

              to be fair that's one reason people increasingly don't

              • reply
                July 11, 2016 5:11 PM

                Ehhh, it's so well hidden in Android it's a non issue for most people.

                • reply
                  July 11, 2016 5:16 PM

                  it's a problem for hundreds of millions or more in China and India. It's also an attack vector for a legitimate looking app in the store to disable.

                  • reply
                    July 11, 2016 5:18 PM

                    There are plusses and minuses. It's also nice to not have a single gatekeeper for a platform as big as Android and iOS.

      • reply
        July 11, 2016 4:26 PM

        For those who didn't read

        ...it appears the Pokemon Go app itself is a huge security risk as it’s been discovered both the iOS and Android version of the game request full access to your account, instead of just your email address. That means Niantic has all of the information that you’ve put into your Apple and Google account without even realizing it, which could potentially become a big issue if the company were ever hacked. In fact, the company could read all of your email, send email as you, have full access to your Google Drive, access your private photos, and much, much more.

      • reply
        July 11, 2016 8:52 PM

        lol MBD posting out of his ass again

    • reply
      July 11, 2016 3:41 PM

      best bet is to just not install it and continue living life

    • reply
      July 11, 2016 4:24 PM

      Went to my google account settings and didnt find the game in the connected apps list; although i signed in using my google id

      • reply
        July 11, 2016 4:42 PM

        This only happens from the iOS version. The Android version doesn't need any permissions (I.e. their Android devs did it right, their iOS devs didn't).

        • reply
          July 11, 2016 4:57 PM

          It's built in Unity, so it's probably the same codebase. Hard to explain the difference, though. Both are just passing a token from a webview login form to the app storage.

        • reply
          July 11, 2016 5:07 PM

          The iOS version doesn't actually need the permissions either (you can delete them and the game still works fine). Oddly enough though, it's able to re-add itself without a prompt if you have to log back in.

          • reply
            July 11, 2016 5:19 PM

            Every time I log into Pokemon Go on my iPhone, Google sends me an email that a new computer has logged into my account. It sounds like they just set up their auth db wrong.

            • reply
              July 11, 2016 5:29 PM

              How does it re-grant the permissions without even a prompt though? From what I remember, whenever you connect something to your google account it redirects you to an intermediary webpage on login showing the rights you're about to grant it.

              • reply
                July 11, 2016 5:32 PM

                Yeah, that's what I recall, too. I have no idea, but if Google allows that, then I'd say they're at fault. And Niantic should have known how to make it work properly, as a former Google company. My guess is they implemented this back when they were still at Google and used some undocumented part of the API.

      • reply
        July 11, 2016 5:37 PM

        same experience here - nothing at all shows up on my app permissions from android

    • reply
      July 11, 2016 6:01 PM

      So I'm not sure what they're doing and I signed in through the Pokemon Trainers Club so I'm not affected but here's some explanation on what may be happening (which virus or some other GoogleShacker might put the smack down on me if I get it wrong)

      So it's been this trend for years now that you don't host your own login form, you embed the login form from the provider and use OAuth or OpenID or whatever and then the provider tells you if it worked or not and you let them in. This is the case even for native apps on phones and Windows.

      Depending on the needs of your app, you can either use it solely for authentication, or you can ask for access to things from the Google account. So for example if your app is a calendar app you would ask for access to the Google Calendar for the account and then you have access to the Google Calendar API's and so forth.

      The part that's weird to me is that usually the end user is shown a screen that asks what the app can have access to. This article indicates that this is being skipped somehow.

      If this is the case then it's my guess that the developer just screwed up and had the app asking for everything while developing it and just flat out forgot to dial back the permissions before launch. Or in the final push to finish. It's bad practice but it's not unheard of to get really far in development and then completely forget about some early debugging band-aid you put in place.

      I think Google has the power to revoke the app's key until they get their shit together (this may have already happened based off of what people are seeing) but I doubt this is malice so much as a mistake.