Pokemon Go trojan lurking in Play Store is rooting Android devices: Kaspersky Lab

Android users be warned as Kaspersky Lab has discovered a new malicious app on the Play Store called ‘Guide for Pokemon Go. The app is capable of seizing root access rights to your Android smartphone and then uses that to install/uninstall apps and show unwanted ads.

The app has seen more than 500,000 downloads, with at least 6,000 successful infections. Kaspersky has now reported the malicious program to Google who has removed it from the App store. The Trojan essentially has a unique way to bypass detection and root devices. For instance, it doesn’t start as soon a user launches the app.

Pokemon Go trojan installs additional malware modules

As it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual one. If the Pokemon Go trojan finds itself dealing with a device, it’ll wait for an additional two hours before it starts with the malicious activity. Despite that, infection is not guaranteed at this stage. As it waits for a response from its command server after uploading details of the device such as country, language, device model, and OS version. Only after it gets a response from its commanding server will it proceed with further downloading, installation and implementation of additional malware modules.

This approach implies that the control server has utmost control to stop the malicious activity from going further. As it can skip those users, it does not wish to be victims or those which it thinks are a sandbox/virtual machine, which provides an added layer of protection for the malware. Once the trojan gets a green signal, it starts installing its modules into the device’s system folders, covertly installing and uninstalling other apps and display unwanted ads.

Apart from this, Kaspersky Lab analysis shows that at least one other version of the same program was available on the Play Store in July 2016. In addition, researchers have detected at least nine other apps infected with the same Trojan available on the Play Store since December 2015. While data collected reveals that there have been over 6,000 infections until now, including countries like India, Russia, and Indonesia.

“In the online world, wherever the consumers go, the cyber criminals will be quick to follow. Pokémon Go is no exception. Victims of this Trojan may, at least at first, not even notice the increase in annoying and disruptive advertising, but the long-term implications of infection could be far more sinister.  If you’ve been hit, then someone else is inside your phone and has control over the OS and everything you do and store on it.  Even though the app has now been removed from the store, there are up to half a million people out there vulnerable to infection – and we hope this announcement will alert them to the need to take action,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.

Users concerned about the Trojan are advised to scan their devices with a mobile antivirus. Besides, Kaspersky is also advising users always to make sure that apps they’re downloading from a reputed developer, and keep their OS and apps updated with latest patches.

About the author

Abhinav Mishra

Abhinav is technology enthusiast who loves gaming and collecting old-school gadgets. He is awestruck by the amazing impact technology has on our daily lives. At PCT, he is the go-to man for anything gaming or related to smartphones. You can usually find him on PSN blabbering about his MKX skills.