FortiGuard Labs Threat Research
At FortiGuard, we wouldn't let you down without an analysis of Pokémon Go. Is it safe to install? Can you go and hunt for Pokémon, or stay by a pokestop longing for pokeballs? While this article won't assist you in game strategy, I'll give you my first impressions analyzing the game.
There are two sorts of Pokémon applications:
1. The official versions, issued by Niantic.
We will talk more about these later, but in brief, they are not malicious.
2. The hacked versions. These are also known as "mods", which are issued by other developers, for multiple reasons. It is in this category we are the most likely to encounter malware. For instance, a repackaged version infected with DroidJack RAT has been identified to be in the wild (see analysis below).
However, not all hacked versions are necessarily malicious: we inspected hacks to play on Android 4.0 (the minimum requirement is normally 4.4), or to modify GPS coordinates, neither of which showed any malicious intent.
Besides manual inspection, we also sent those samples to our learning-based Android prediction engine, SherlockDroid / Alligator, which confirmed our analysis ;)
As mentioned earlier, a sample with sha256
is infected with Android/SandrC.tr, dubbed DroidJack RAT.
This is a known malware, for which we have had a signature since 2015. Therefore, Fortinet customers were protected from this malicious Pokémon app from the beginning :)
This malware is quite widespread. Internal statistics at Fortinet indicate more than 8,800 detections in a year, and 160 last month alone, but those figures are largely underestimated for various reasons, including the fact that reporting is not enabled by default. So, basically, what you should remember is that this malware is still in the wild and active currently.
More malware to come?
Yes, very certainly. Malware authors are likely to continue to re-package the game with a variety of malware and distribute it. The fact the game wasn't released in all countries at the same date, for example, (thus forcing impatient users to look for alternatives on the web), combined with the fact there are large game hacking (that's nice) and cheating (that's bad ;) communities only increase the potential for downloading an infected version of the game..
Adam Reeve noticed that the game requested full access to your Google account. Note: we are not talking about an Android permission here but a permission of an app connected to a Google account.
Finally, note that it is not extremely clear in the documentation exactly how much "full access" really means, but no malware or exploit of this has been reported so far.
In a perfect world, we'd expect games to only send packets over the network that are absolutely necessary for the game to run, such as your location, the details of Pokémon around you, etc.
However, this is very far from reality, and for years now most Android applications are bundled with third party kits (analytics, crash reporting, cross platform engines, etc.) which use up the bandwidth which send and receive more or less useful side information containing, in the best cases, the exact model of your smartphone, or in the worst, personal information such as your phone number and other private data.
Pokémon Go is one of these bandwidth hungry applications. I downloaded it two weeks ago, and it is already close to being the most greedy application on my phone...
For mobile users, the consumption of bandwidth is a real issue. On average, 24% of an application's traffic is for third party tracking and advertising services. For some applications, the rate rockets to 98%.
While the percentage of side traffic for Pokémon Go hasn't been measured precisely, given the number of third party functionality it includes, I wouldn't be surprised if it isn’t well above 50% ;)
Here is a list of what version 0.31.0 contains:
Along with such "not-so-essential" network traffic to third party servers also comes common leaks. While we expect Niantic Labs and Unity 3D (game engine) to access our geographic location (to locate Pokémon and pokestops), perhaps we shouldn’t expect apps like Crittercism, Google Ads, Jackson XML, or Upsight to retrieve our location?
The disassembled code also shows that Voxel Busters is building the full list of our phone's contacts (see figure below). They access the display name, phone number, phone and email of all contacts. The list is then compiled into a JSON object and sent to a function named UnitySendMessage, which is then exported by a Unity shared library (libunity.so) where it is dispatched to another function, and where I currently lose its track. Are contacts sent to remote servers? This is not confirmed yet, but is of some concern.
So, yes, you need to know that while you play Pokémon Go you send your geographic location, along with other details (e.g network operator name, phone brand, etc.), to several remote servers, and you "pay" for this side traffic through bandwidth consumption. Unfortunately, this is increasingly true for nearly any game found in application stores nowadays...
The Pokémon Go application communicates with Niantic servers via HTTPS (see image below). Even better, in version 0.31.0, Niantic introduced certificate pinning to ensure that applications exchanged information with the real Pokémon servers and not with others
Initiating a TLS handshake with Pokémon Go servers
However, when certificate pinning is not active, an attacker can perform a MITM attack and thus completely modify the game for victims. For example, rastapasta managed to customize pokestops!
Hacked pokestop by rastapasta
A malicious person can easily imagine other customizations, such as displaying an infected link in a pokestop, or directly injecting infected traffic. While such attacks are probably feasible, they are tricky, and the attack would only operate on the network where the Pokémon Go MITM proxy is setup.
-- the Crypto Girl