By: Viral Gandhi

Pokémon GO : Pikachu thunder shocks user’s wallet and personal life.

Mobile Malware

The recent release of Pokémon GO has led the game to become one of most popular apps for Android and iOS - having been downloaded by more than 5 million users. The game is currently available in multiple countries all over the globe; however, there are still a handful of countries eagerly waiting for its release. In turn, attackers are taking advantage of the hype and are scamming large numbers of mobile users.

Recently at ThreatlabZ we came across an Android SMS Trojan disguised as the Pokémon GO app in one of our threat feeds. This malware secretly sends SMS to premium numbers, which costs money to the victim.
 

Technical Analysis:

We have observed that this malware was dropped from the following URL.

  • http[:]//taigamesvui[.]xyz/sms/pokemongo[.]apk 

The malware installs itself with the legit Pokémon GO application icon so that the users are not suspicious as seen below:
 

Icon

Upon clicking the icon, malware shows the following page to victim. 

Downloading APK

Once the user clicks on the first button, malware starts downloading another Pokémon Go game from the following URL.

  • http[:]//waptuoitre[.]net/dulieu/pokemongo[.]apk

In addition to downloading the APK from the URL listed above, the malware secretly sends SMS to premium numbers. Observe the following code which depicts the malicious activity.

JavaScript code

Unlike common android malware, this malware performs malicious activity from a HTML page residing in the asset folder of the malware package. The “Android.send” function is defined in the DEX file. This function is trigged by the HTML page by passing necessary arguments once the user clicks the first button.

Following is the function responsible for sending SMS to premium numbers:

Send SMS code routine

SMS

The downloaded application is also found to be a fake app and crashes in all the lab devices. Seeing that, the victim will probably try to open the malicious app multiple times triggering malicious routine each time which includes sending message to premium numbers costing the victim more money.

Pokémon GO Clickfraud

As we saw in the above case, the fake app is capable of scamming gamers financially by sending SMS messages to premium numbers. However, it is important to note that this fake application never made it to Google PlayStore. However, we did see an aggressive auto-clicker malware variant leveraging Pokémon GO lure making its way to Google's PlayStore. The app was named "Install Pokémon GO," which got our attention with a huge number of negative reviews and comments from more than 2500+ users. Google was quick to remove this app.The screenshot below shows the icon of installed app:

 


AutoClicker using Pokémon GO Icon

The app disguised itself as a guide to installing Pokémon GO from third party store ApkMirror, but in reality it was doing nothing more than displaying a banner for few seconds and started its aggressive auto clickers.


The screenshot below shows the screen displayed to victim for few seconds regarding how to install Pokémon GO.


Installation Banner

After few seconds it starts displaying ads on main screen as shown in screenshot above.  Additionally, the app launches the browser, opens several links automatically, and starts auto clicking activity.

The screenshot below shows several links opened within a very short span of time. It also shows the type of ads loaded by the auto clicker app:

Auto clicked links and displayed Ads

The damage that such apps can inflict is less severe when compared to banking Trojans or Ransomware, but since it leaks victim's sensitive information like device info, SIM details, timezones and location it may serve as a gateway for further attacks and infection.

Pokémon GO Privacy issue

The original Pokémon GO application has also gone through scrutiny surrounding privacy issues because of overly aggressive access permissions than it requires.  iOS version of the Pokémon GO originally required full access to user’s Google account when the user signs on via Google account. Such an approval grants all access of user’s Google account to the game. Considering the personal and the financial information stored over Google accounts, such access of the data to third-party servers will create a serious issue in case of data theft on Pokémon GO servers.

Meanwhile Niantic, Inc (Developer of the Pokémon GO) published a statement saying that this happened due to coding errors and they have fixed it, as the game needs only player’s Gmail account and user ID. The company also promised that none of the unwanted user data has been accessed yet. 

Don’t let the malware authors exploit this temptation of playing Pokémon GO. As of now Niantic, Inc has fixed the privacy related issues in new Pokémon GO app. We recommend downloading game from authorized and legit sources only. 

Have a happy and safe gaming. 

Writeup by - Viral Gandhi, Shivang Desai

Learn more about Zscaler.