clock menu more-arrow no yes mobile

Filed under:

'Side-loading' Pokémon Go onto your Android device may bring malware along for the ride

Security firm explains how to identify and remove the infection

If you buy something from a Polygon link, Vox Media may earn a commission. See our ethics statement.

Owen S. Good is a longtime veteran of video games writing, well known for his coverage of sports and racing games.

Cybersecurity analysts say they have discovered a malware-infected version of Pokémon Go for Android devices, which is of particular concern to those in regions where the extremely popular game has not yet launched and users are installing versions downloaded from file-sharing sites.

Proofpoint researchers found an APK (the Android app file format) of Pokémon Go carrying the remote-access exploit called DroidJack. Symantec discovered the malware in late 2014 and describes it as "a Trojan horse for Android devices that opens a back door on the compromised device [and] also steals information."

This exploit is not in any official app-store version of Pokémon Go where that game has launched — currently only the United States, Australia and New Zealand. However, users in other regions looking to get in on the craze could potentially encounter this infected edition.

Proofpoint's writeup on the malware includes detailed screenshots and descriptions of how to know for sure if your device has been infected. Proofpoint notes that "we have not observed this malicious APK in the wild" yet, but added it was found on a known malicious file repository about three days after Pokémon Go's launch in Oceania last week.

Though Symantec gives DroidJack its lowest threat rating at the moment, it has a renewed potential to spread thanks to Pokémon Go's popularity and free-to-download format. Some websites have posted guides on how to "side-load" unofficial copies of Pokémon Go, and the file has been shared directly among users.

"As in the case of the compromised Pokémon Go APK we analyzed, the potential exists for attackers to completely compromise a mobile device," Proofpoint wrote. "If that device is brought onto a corporate network, networked resources are also at risk. ... Bottom line, just because you can get the latest software on your device does not mean that you should."