"Pokemon Go" is actually a location based augmented reality game for iOS and android devices. There are various fake version of the app available, all of them are pretending to be the genuine version of the "Pokemon Go" app and allow users to access upto level 5 in the game. Some fake versions of "Pokemon Go" are fake lockscreen apps, some are embedded with malicious Remote Access Tool (RAT) called as Droidjack (SandroRAT) for android.
The fake app may be capable of performing the following functions:
- Giving full access of the victim's android device to the attacker.
- Install various side loaded apps along with the installation of the "Pokemon Go".
- Makes network connections to the Droidjack(RAT) server to post various data of the infected device.
- Install the App with more permissions than the required permissions by the genuine Pokemon Go App.
- If compromised device is connected to corporate network, it may pose risk to corporate network also.
These fake APKs are available on certain websites which provides the instructions to install the apps downloaded from third party sites. Instructions given by these sites to trick users are:
"To install an APK directly you'll first have to tell your Android device to accept side-loaded apps. This can usually be done by visiting Settings, clicking into the Security area, and then enabling the "unknown sources" checkbox."
Some of the fake Pokemon Go apps earlier available on Google Play store are:
These apps are capable of locking the victim device. Forced reboot is required to come out of the locked screen. After successful reboot of the device, the app keeps on running itself in background and make network connections to various add sites, which gives fake messages & enticing users to download other side loaded apps. The messages displayed on the infected devices are as follows:
- "Pokemon GO Ultimate"
- Guide & Cheats for Pokemon Go"
- "Install Pokemongo"
After installing "Pokemon Go Ultimate" app, the icon shown to the user on device is:
Installation leads to the locking of the home screen of the infected device as shown below:
Indicators of Compromise:
The difference observed in the genuine and fake versions of the "Pokémon Go" APP are:
1. Difference in permissions required by the App.
(Users can check the permissions of their installed applications by "Going to Settings -> Apps -> Pokémon GO and then scrolling down to the PERMISSIONS section"
2. Difference in classes and embedded packages
Command and Control server:
It has been observed that the package "net.droidjack.server" contains a file named as "br.class" that contains a code to communicate to command and control server for droidjack RAT. The code is shown below:
Domain Contacted: "pokemon.no-ip.org" hosted on "126.96.36.199"
Hashes of Malicious/Fake APK: