July 15, 2016

Pokemon Go: New Tampered Apps & What You Can Do

A man and a woman standing in a crowd wearing Pikachu hats and looking at their smartphones.

Pokemon Go, is arguably the biggest mobile game in US history, but while fame breeds fans — even employees in the enterprise — it also attracts many opportunistic attackers.  

Since launching, players have already overloaded the app’s servers and press has pointed out a number of privacy concerns regarding how much data Pokemon Go accesses. Now, we can add malware and app-tampering to the list of concerns. As for malware, a recent post by Proof Point identified one such malicious version of Pokemon Go for Android. We’re seeing and anticipating a number of other categories of tampered-with versions of Pokemon Go that we haven’t yet seen reported.

Malicious and modified Pokemon Go apps — you don’t actually want to catch ‘em all

Because Pokemon Go is not available in all countries — it was just released in the UK on July 14 — users are motivated to download the app from sources other than Google Play and Apple’s App Store. So, we looked into our dataset of the world’s mobile code and found several additional malicious versions of Pokemon Go out there in the wild.

Malware authors are taking the existing Pokemon Go app, modifying it to insert malicious or advertisement code, and then distributing it out to unsuspecting users. We’re seeing several other categories of non-official Pokemon Go apps in third-party marketplaces as well.

From our analysis, we have seen five categories of suspicious Pokemon Go apps:

1. Repackaged and trojanized [Android]: Repackaged versions of Pokemon Go that have had a Trojan injected into it. Example: Pokemon Go with a RAT called SandroRat (aka DroidJack)

2. Repackaged with adware [Android]: Repackaged versions of Pokemon Go that have been injected with adware

3. Malicious app with Pokemon name only [Android]: A malicious app using the same package name as Pokemon Go, but has no Pokemon code and instead tries to do something unexpected or something malicious, e.g., become device admin

4. Repackaged app for cheats [Android]: Repackaged versions of Pokemon Go that have been modified via tools like LuckyPatcher to cheat by bypassing in-app billing, spoof locations, etc.

5. Repackaged app for cheats [iOS]: Repackaged version of Pokemon Go for iOS that disables jailbreak detection so that cheating tools can be used (found on a 3rd party iOS app store)

Malware creators will sometimes use as much of an original app as possible to avoid being detected by the user looking to use the app they want and this is what we see in category 1 and category 2.

Category 3 is an interesting type of attack that uses the same package name of the original app, but it contains none of the original app’s code and instead looks to be up to no good. We’ve seen this trend before. We recently reported on several malware families re-using package names of popular enterprise apps including some ADP, Cisco and VMWare mobile apps.

Categories 4, and 5 are a different kind of “malicious app.” Rather the apps in these categories are not actually malicious from an end-users perspective, but are malicious from the creator of the original Pokemon Go apps perspective because these apps have been tampered with. They are targeted at giving the user an advantage in the game (i.e., cheating). They were not tampered with in order to infect a user with a trojan or to generate revenue from injected adware. The apps we’ve seen have been patched to circumvent root/jailbreak detection to run things like location spoofers, as was the case with the iOS app we found.

Additionally, there are many versions of the Android app floating around that have been patched using a tool that lets an attacker do things like bypass in-app billing to get free coins for in game items or spoof GPS locations to access areas they are not physically near.  

Staying safe

Attackers will continue to create new, malicious- and tampered-versions of Pokemon Go for both Android and iOS. This will hold true especially as people play the game longer and will need to physically travel farther to catch rarer pokemon or need to spend real money in the game. In addition to using modified or tampered apps, there are also users that are playing Pokemon Go on rooted/jailbroken devices and emulators to dynamically modify the official Pokemon Go app as it’s being used to cheat.

To ensure you have the safest version of Pokemon Go please only download the official versions of Pokemon Go from the Google Play or iOS App Store. If you’re an Android user, ensure “unknown sources” is unchecked on your device. This will prevent “sideloading,” or downloading from an unofficial app store source.

iOS users should be aware of trusting any unexpected developer certificates. Trusting these is how third-party apps could be downloaded to an iOS device.

If you’re worried that you may have already downloaded a malicious “Pokemon Go” app, download a security solution like Lookout that can evaluate the app and determine if it is dangerous. Lookout will alert you if you encounter any malicious apps.

If you’re an enterprise, there’s a big chance your employees are interested in downloading this game to the devices they already bring into your workplace. Check out this video to learn more about what that might look like for your organization:

File Hashes (Trojan and Adware)
  • 9b29ad3bea26a21160e8aa74a00e6901fc16da8e
  • f0405a3d6f6a2d1a635972efa6ae27d23e4a4a2a
  • b2fec52d6083e5fa9fb5703bedfb817aac2c46f1
  • 561ae708f234f46dbdca1d7f2a38d854d9bb60df
Signer Hashes (LuckyPatcher) Lookout will flag apps that have been modified with LuckyPatcher as having a compromised signer key.
  • 44c5e69d1723f6ea11e444ee6b0e31608a2b9f29


Andrew Blaich

Head of Device Intelligence

Andrew Blaich is Head of Device Intelligence at Lookout where he is focused on mobile threat hunting and vulnerability research. Prior to Lookout, Andrew was the Lead Security Analyst at Bluebox Security. He holds a Ph.D. in computer science, and engineering from the University of Notre Dame in enterprise security and wireless networking. In the past Andrew has worked at both Samsung and Qualcomm Research. Andrew is a regular presenter at security conferences including BlackHat, RSA, Kaspersky SAS, SecTor, SANS DFIR, Interop, and ACSC. In his free time he loves to run and hack on IoT.

Platform(s) Affected
Platform(s) Affected
Threat Type
Entry Type
Threat Summary
Platform(s) Affected
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.