With the rapid rise of Pokémon Go, many players may be focused on finding, catching, and socializing—-unaware of what’s happening behind their screens: malware. This latest security issue follows recent concerns that the iOS version of Pokémon Go can grab user data through access to players’ Google accounts.

Pokémon GoPokémon Go combines the classic 20-year-old franchise with augmented reality technology. This lets players walk around real life neighborhoods while seeking virtual Pokémon on their smartphones. In other words, players participate in a scavenger hunt in real time. Pokémon Go is the first Pokémon game sanctioned by Nintendo for iOS and Android devices, and the game has erupted into an overnight success.

But it’s also garnered complaints from Apple users over its intrusion into players’ Google accounts. Furthermore, reports from security firms state that the recently released Android version of the game may be distributing dangerous malware.

It is unclear if the Android malware and iOS permissions grab are related. Niantic officials said that the Pokémon Go app on iOS devices requests more permissions than needed, but has not accessed any user information. That was the result of a programming glitch, according to published reports.

The Android flap, however, appears to be a more serious security problem. It involves an altered version of Pokémon Go for Android devices that malware attackers may have slipped into the distribution stream.

Be warned. You can uninstall your iOS version or just stop playing it until a fix is issued, but if you did not download your Android copy from a safe source, your phone or tablet could be infected.

The Android Caper

Researchers at Proofpoint the week of July 11 reported an infected Android version of the newly released mobile game. Hackers modified the APK, or Android Application Package, to include the malicious remote access tool (RAT) called DroidJack.

Other security firms call this same infection exploit “SandroRAT.” Regardless of its name, the modified game installation gives attackers full control over your phone or tablet.

The malware secretly installs back door access to Android devices. Security firms Symantec and Kasperky previously identified the DroidJack RAT, but it was not been found to be in active use.

The malicious version of the game was uploaded to a file sharing service on July 7, just a few days after the game’s official release in New Zealand and Australia on July 4, followed by the U.S. a few days later. The modified Android app is close enough to the official version to fool anyone who plays it.

Go Forth and Infect

Pokémon Go is an instant success. It has taken on all the popularity of a trend driven by social media. But the developer has only rolled out the game in certain countries. Getting a copy sooner rather than later seems to be a cultural imperative for players. So those who could not wait for the U.S. distribution, as well as players in other countries, took matters into their own hands and downloaded the game from third-party software sources.

The permissions list from a legitimate Pokémon Go app installation.

The permissions list from a legitimate Pokémon Go app installation.

Compromised versions of Pokémon Go seeded third-party sites as the clandestine distribution chain widened, and the malicious files infiltrated file-sharing websites.

As an example of how rapidly Pokémon Go distribution spiraled, consider what happened at the apkmirror.com website. Visitor traffic swamped servers with downloads outside the U.S., according to a report on Similarweb.com. Since the app’s release, traffic to apkmirror.com drastically increased from just over 600,000 visits on July 5 to over 4 million visits the next day.

Google engineers rigorously filter harmful software from the Play Store. However, third-party software vendors tend to be less mindful of security sweeps of the software they distribute. Many website operators may not even know if their servers or specific games are infected.

The preferred and safest installation method of any Android application or game is via the Google Play Store. But you can download Android APK files from unofficial channels and install them by connecting your Android phone or tablet to a computer with a USB cable. The process is called side-loading.

That is how hackers got the malware onto Android devices so quickly. Many of the people who downloaded the infected APK file passed them along to friends and work buddies as an attached email file or saved to a USB drive.

Unlike Android devices, you can not side load downloaded apps onto iPhones. This explains in part why Android systems are more vulnerable to viruses and hacking than iPhones.

Is Your Copy Tainted?

Luckily, you can find out if your Android version of Pokémon Go is infected with malware. According to Proofpoint, begin by checking the permissions list in the applications settings panel.

Go to the list of permissions in Settings / Apps / Pokémon Go. See the Proofpoint blog for a full list of warning signs.

Hackers routinely build fake versions of popular games to infect phones. Hundreds of clones of “Flappy Bird” were offered, for example, and almost 80 percent of them contained malware, according to a 2014 report from Intel Security.

The permissions list grabbed by the modified Pokémon Go app. - Courtesy of Proofpoint.com

The permissions list grabbed by the modified Pokémon Go app. – Courtesy of Proofpoint.com

Niantic, the developer that created Pokémon Go, developed a multi-player augmented reality game in 2012, and spun off from Google last year. Nintendo owns one-third of The Pokémon Company. Both have undisclosed stakes in Niantic.

Go Catch em’ All

This outbreak of malware in Android versions of Pokémon Go is a major cause for concern. However, there are ways to reduce your worries. Remember to:

  • Download the game from only trustworthy sites
  • Look out for news regarding security breaches/malware
  • Adjust the permissions list of the app

Happy hunting!