Our partners at the cybersecurity firm SentinelOne have shared the below blog post on recent security problems with Pokémon GO. Remember to ensure your devices are secure from all threats, including those hidden within apps.
The past week has evoked an unfamiliar sight in many of the country’s public areas: Hundreds of young adults—heads down, eyes glued to their phones—wandering through public parks in search of Pokémon. In many ways, Pokémon GO represents a seismic societal shift. No other game has really captured the potential of augmented reality in a way that’s really seized the public imagination. By the same token, another seismic shift has opened up—a whole lot of people are suddenly getting an unpleasant education on the dangers of mobile malware, account privacy exposure, and GPS hacking.
Dangers of Counterfeit Applications
Full disclosure, SentinelOne has general availability products for servers and endpoints—the mobile product is in beta. But let’s focus on mobile malware for a moment. There’s an excellent chance that an attacker could leverage an infected mobile device to go after an enterprise’s other infrastructure, especially with the Pokémon GO malware that’s been discovered in the wild.
This malware takes the form of a bootleg Pokémon GO app. The lure is pretty simple—Pokémon GO is mega-popular, but it hasn’t come out in every country on earth yet. People in non-Pokémon-infected countries are tempted to download these bootlegs apps in order to enjoy the game before its official launch. In at least one instance however, an illicit app, packaged as an Android .APK file and available through a phone’s browser, contained a remote access trojan. Any users of this app would have caught a RAT well before they found their first Rattata.
Fortunately, it doesn’t appear that the embedded malware is currently active, so no one who downloaded that particular app has anything to worry about. Had the malware been active, users would have found that the app gained far more permissions than the genuine version usually receives. This includes the ability to change Wi-Fi and network connections, read a user’s web activity, and control app usage. Not only would this be more than enough control to grab any confidential or compromising information on a user’s phone, it would provide an excellent platform for malicious actors to launch an assault on an enterprise network.
Privacy Conundrums, I Choose You!
In addition to having some dodgy imitators, Pokémon GO isn’t without problems that are inherent to the app itself. Again, this is a case of app permissions run amok. Instead of just using the Google Maps API, the app originally gained “full access” to a user’s Google Account.
What does full access mean in this context? Full access gives Pokémon GO a token that can be exchanged for uberauth, a sort of super-token that gives its bearer full access (view, write, create, delete, and edit permissions) to Gmail, Google Calendar, Google Docs, and all other connected Google accounts.
Obviously, this is a huge deal. A hacker who compromised Niantic (the Pokémon GO creators) could potentially have access to a whole bunch of PII stored in that user’s drive. Failing that, they could implant malware into a Google Drive in what’s known as a “Man In The Cloud” attack, infecting any endpoints that synced with that particular cloud storage.
Pokémon GO Threats from Every Direction
Although Niantic quickly patched Pokémon GO in order to fix these erroneous permissions, the door is now open. The augmented reality revolution is now upon us, and there are going to be a deluge of “me too” games which capitalize on a similar premise. A lot of these “me too” games might contain risky code. Let’s not forget the “xcodeghost” attacks from last year. Worse yet, it’s likely that several of these applications won’t be as considerate as Niantic when determining which permissions are appropriate for a game of this nature.
IT admins might quickly discover that their users’ phones and tablets have turned into vectors for malware that goes on to infect endpoints and servers. Fortunately, SentinelOne can help. To learn more about how SentinelOne’s dynamic behavioral detection can help deflect attacks from even the most unexpected directions, check out our white paper on “The 4-Minute Guide to Enterprise Security Threats.”