17 July 2016

Avoid Pokemon Go scams, malware

Source: Niantic blog. A seadra captured on-screen.
Source: Niantic blog.
Pokémon Go, the augmented reality mobile game that has become a global sensation since its launch in early July, has already attracted the attention of scammers and cyberattackers. While yet to arrive (legally) in Asia*, there are risks that players should be aware of, says Symantec.

In a recent blog post Symantec has detailed several Pokémon scams, from free PokeCoins and fake versions of the mobile game, to permission and privacy issues:

Free PokeCoin scams
Pokémon Go has in-app purchases, where users can spend real money to buy a virtual currency called PokeCoins. Players can spend the PokeCoins on items, such as incense to lure Pokémon to their location or eggs that hatch rare Pokémon . Those who search for discounted or free PokeCoins online are likely to encounter classic survey scams. 

"These links are widespread across the Internet, from posts on gaming forums to dedicated scamming sites. The majority of fraudulent results are posts on social media sites or videos with alleged proof that the PokeCoin hacking tool works," Symantec noted in the blog post.

Trojanised Pokémon Go apps
Trojan versions of the game targeting Android devices have appeared, including the remote access Trojan (Android.Sandorat) disguised as Pokémon Go. The threat was distributed on various download sites and gaming forums. If the malicious version of the app is installed, it displays the Pokémon Go start screen while giving the attacker complete access to the phone.

Those looking to cheat by getting rare Pokémon in a particular physical location have spoofed their GPS locations with readily-available apps that can be installed on rooted Android devices or jailbroken iPhones. While Symantec has not seen attackers disguise their malware as GPS spoofers yet, it could happen, the company warns.

Tips to stay safe with Pokémon Go include:

· Avoid downloading Pokémon Go from unofficial marketplaces, as attackers can use these sites to deliver malware disguised as legitimate apps

· Install the Pokémon Go update that removes the request for full access to Google accounts

· Stay away from game-cheating tools, as they could be fraudulent or may contain malware

· Keep your smartphone's firmware updated to prevent vulnerabilities from being exploited

· Use strong and unique passwords for your Pokémon Go account

· Pay close attention to the permissions that apps request

· Install a suitable mobile security app, to protect the device and data


The blog post also details scam methods, privacy issues and how gamers are trying to cheat in Pokemon Go.

Follow the official Twitter account for updates on availability

Hashtag: #PokemonGO

*As of the time of writing Niantic had just released the game in 26 more European countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Greece, Greenland, Hungary, Iceland, Ireland, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Romania, Slovakia, Slovenia, Sweden, and Switzerland. On July 14, the game was released in Italy, Spain and Portugal, and in the UK on July 13, and in Germany on July 12. It was originally made available in the US, Australia and New Zealand.