Despite the immediate success of Pokemon Go, its staggered release across countries has led to many UK-based players putting their personal data at risk by downloading fake or malware-laden versions of the app. This situation is a high-profile example of how businesses and app providers need to take app security into their own hands, rather than relying on the behaviour of their users. This is according to app security specialists Promon.
The release of Pokémon Go has been met with a frenzied reaction from smartphone users across the globe, despite its initial release being limited to just Australia, New Zealand and the USA. As a result of this extremely high demand combined with the staggered global release, UK-based players eager to use the app are risking seriously compromising their operating systems by inadvertently downloading fake apps. This is indicative of the severe danger that imitations of popular apps can pose, and of just how difficult it is to promote cybersecurity by encouraging positive user behaviour.
Lars Lunde Birkeland, Head of Communication at Promon, said: “Pokemon Go has become an almost instant phenomenon; its ease of use and the nostalgia it brings to many smartphone users is undeniable. But it is also an excellent example of how cybercriminals can hijack a trend and make their mark through fake apps.
“More importantly, the Pokémon Go issues underline just how difficult it is to control the behaviour of individual smartphone users. If someone desperately wants an app that isn’t yet available on the App Store or Google Play, they will go to great lengths in order to get it.”
To tackle the problem posed by fake versions of popular apps, Birkeland believes that businesses and app developers should implement full, simultaneous global releases wherever possible. Most importantly though, app developers – regardless of how in-demand their app is – should be prioritising their own cybersecurity efforts, rather than simply hoping their users do everything via the appropriate channels.
Birkeland concluded: “By all means, good practices amongst users are essential, and should be encouraged to urge users to adopt good long-term habits. But this isn’t enough. Firstly, app developers should be fully aware of expected demand ahead of launch, and ensure they have the capacity to carry out a simultaneous global release when possible.
“But the most important point to make is this: it’s time for businesses and app developers to take charge, by implementing software that defends their apps from the inside out. In this way, any malware that sneaks onto a smartphone via a fake app won’t be able to seep into other apps on the device. This greatly reduces the chances of data theft, and means that any irresponsible behaviour by users will not have serious repercussions.”
The Guru also reached out to several other cyber security experts to get their thoughts on the new craze. You can read their reactions below.
Javvad Malik, Security Advocate, AlienVault:
“Jailbreaking devices or installing apps from unofficial or untrusted sources is a recipe for letting the fox into the henhouse. Enterprises should ensure that mobile devices that access corporate systems are prevented from being jailbroken and cannot download unauthorized apps. Doing so can put the device, its data, and users’ privacy at risk.
Mobile apps are notorious for requesting excessive permissions – something that users should scrutinize whenever installing a new app. However, in this case, it appears as if it was a failing on behalf of Google in allowing an app to not only request admin privileges, but doing so without displaying a prompt to users – an issue that apparently Google is seeking to fix as soon as possible. However, it does beg the question whether or not other not-so-popular apps have been able to sneak under the radar in the past.”
Mark James, Security Specialist at ESET:
“The gaming industry has a massive following, mobile gaming in particular opens up a whole new security headache as the industry itself is geared towards offering games to the masses. Gamers have traditionally been “nerds” with big expensive rigs and a good knowledge of IT to keep their systems running at optimal conditions. However, with the advent of mobile gaming this has all changed. Playing games in small bursts in your spare time has boosted the industry with games requiring “little and often” attention rather than hours and hours of gameplay.
As with any current “fad” end users are presented with one simple choice, do you want to be involved or not? If you do then all you have to do is install the game or app, permissions and often cost (within reason) are not really a factor. Often for the early adopters getting access to the actual app may not be straight forward and may as in this case involve downloading or installing the app from unofficial sources which opens up a whole world of opportunity for hackers to compromise your device. Once this happens they may well have complete control to do as they please, this may include installing malware to gain access to your identity or financial data. As always in these cases it really is best to wait for official versions and especially be very mindful of where you download them from. Make sure you have a good regular updating internet security product installed and ensure you run regular scans.”
Kevin Epstein, VP, Threat Operations Centre at Proofpoint:
“DroidJack gives attackers complete access to mobile devices including user text messaging, GPS data, phone calls, camera—and any business network resources they access. This makes both the practice of side-loading applications (downloading apps from unofficial app stores) and the presence of apps like the malicious version of Pokemon GO especially concerning. Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never recommended. Even though this malicious app has not been observed in the wild, it represents an important proof of concept: namely, that cybercriminals can take advantage of the popularity of applications like Pokemon GO to trick users into installing malware on their devices.
Consumers should be extremely wary of downloading apps from app stores other than the Apple App Store and Google Play. Many other app stores do not have security controls to prevent malicious attackers from posting versions of apps that have been tampered with.”
Tyler Reguly, Manager of Software Development at Tripwire:
“I think, in many ways, this comes down to a problem with software vendors and their approach to distribution. It’s an issue that’s mimicked in media distribution and comes down to two main issues, globalization and the “me first” attitude of Millennials and Generation Z. Media, regardless of the format, is distributed on a per-country or per-region basis rather than globally, yet online discussions happen at a global level and seeing the positive reviews of others forces that “me first” attitude to kick in, “I must try it at any cost.” The result is people download movies, music, books, and games from a variety of sketchy sources. The websites hosting this content are often plagued with drive-by attacks and malware, incorporating this into the actual download is a logical expansion.
Had Pokemon Go been released globally (since people everywhere are playing it), no one would have felt the need to visit third party sites to acquire the APK. As we move forward, companies should realize that global releases are beneficial to them and the end user. Whether it’s same day digital video rentals and theatrical releases, global album launches, or mobile applications available worldwide, it’s an option to curb piracy and, with so many malicious actors in play, secure the end user. In a perfect world, vendors could use their tiered release process and all would be well but a malware-laced mobile app does a better job of providing instant gratification. It could be interesting to run a survey to see if people would rather wait for an official release of Pokemon Go or knowingly install malware, I suspect a large number of people would accept the malware.”
Lee Munson, security researcher for Comparitech.com:
“The new Pokemon app, which is Go in the US, Australia and New Zealand, but no-go anywhere else, has caused quite a storm in the last couple of days. Hype abounds and all the cool people want to get playing. The only problem with that is some are going to dangerous lengths to get hold of the game before it is officially launched in their territory. Flying in the face of age-old and sound security advice, they are foregoing official app stores to download the app from third parties, many of which are not being as helpful as it seems.
“For packed into the rogue Pokemon Go apps is malware that can give an attacker full control over an Android device (iPhone users, by and large, cannot install the files). So how are keen gamers supposed to get the real deal if Pokemon Go hasn’t yet been released in their country?
In this case, I would say they shouldn’t – the reason Nintendo has slowed the roll out is due to playability issues so the best and safest answer is to sit tight and wait for the app to be released officially or use a VPN to download the official version.”
Tim Erlin, Director, Security and IT Risk Strategist at Tripwire:
“When it comes to malware, you really don’t want to catch ’em all.
Cybercriminals are after any angle that helps them gain a foothold on your devices. A popular app that’s not available in some places is a near-perfect target for crafting a malware delivery strategy.
People have proven time and time again that they’ll click recklessly to get access to new, prohibited or early-release software. Attackers have proven time and time again that they’ll find a way to infect that software.
Installing software from third-party markets and unknown sources increases your risk of malware. Period.”