Crooks continue to bank on the Pokemon hype

Jul 15, 2016 21:25 GMT  ·  By

We already know that crooks are using the Pokemon GO apps to spread remote access trojans via third-party app stores, but now, one of those malware-infected apps has made its way to the official Google Play Store.

Following a report from ESET, Google intervened and removed the app, along with two others that distributed scareware.

Pokemon-themed app distributed clickjacking malware

The malicious app's name was Pokemon GO Ultimate and promised users to allow them to play the game, even if not yet available in their country.

Because Pokemon GO is only available in the US, Australia, New Zealand, Germany, and the UK, some users outside these countries installed the app seeking a way to play Nintendo's bestseller. ESET says that between 500 and 1,000 users ended up downloading and installing the app.

Once this happened, users were never treated to the game because the app never installed anything remotely similar to the Pokemon GO game. In fact, the fake app would install the PI Network application, for which it would also add an icon on the user's phone.

Fake app locked the user's screen, clicked on ads behind their back

If users found this icon and tapped on it, an image would appear on their screen, locking the phone. Only by rebooting the phone would the user be able to remove this screen.

"Unfortunately, in many cases a reboot is not available because the activity of the malicious app overlays all the other apps as well as system windows," ESET's Lukas Stefanko writes. "The user needs to restart the device either by pulling out the battery or using Android Device Manager."

This wouldn't stop the app because, as soon as the user rebooted, it would remove its start icon from the phone and begin working in the background of the Android OS, opening adult-themed sites and clicking on ads, no doubt for the crook's own profit.

To remove the app for good, users need to visit Settings -> Application manager -> PI Network and tap the Uninstall button.

Two other apps distributed adware and scareware

Additionally, besides the Pokemon GO Ultimate app, ESET researchers found two other apps named Guide & Cheats for Pokemon Go and Install Pokemongo.

Both these apps were working in the vein of those we talked about yesterday. These are apps that promise to deliver one thing (yesterday it was social media followers, today it's Pokemon cheats) but provide popups and ads, often tricking the user into subscribing to expensive premium services.

Between 100 and 500 users installed Guide & Cheats for Pokemon Go while Install Pokemongo reached between 10,000 and 50,000 Android users.

Lockscreen shown to infected users
Lockscreen shown to infected users

Photo Gallery (2 Images)

Fake Pokemon Go app on the Google Play Store
Lockscreen shown to infected users
Open gallery