Gotta catch ’em all — with caution

July 12, 2016

I remember when Pokémon came out on the Nintendo Gameboy. It was a challenging game that had my friends and me trying to catch all of the monsters. It was addicting. Fast-forward a few dozen years and we now have Pokémon Go, an app for both Android and iOS, which has players catching the Pokémon in the wild, via augmented reality.

Addicted to Pokémon Go? Criminals know

I would be lying if I told you that I didn’t think it was cool. I downloaded the game when it became available and played it a bit while on vacation. I’ve also heard rumors that some of my colleagues at Kaspersky Lab are downright addicted to it and are planning to rule the Poké-world.

We’re not alone. The Android version of the app has surpassed daily usage of Tinder and will soon pass Twitter, according to Fortune and Forbes respectively. Who would have thought it?

The app is cool — it is the hottest thing on the Internets, as the kids say — but we do have to point out that you still need to stay safe while using the app. Sorry to sound like a parent, but security is kinda our thing here. So here are a few safety tips to keep in mind when you or your kids become the next great Pokémon trainer.

Be alert to your surroundings

pokemon-go-screenshotIn a nutshell, that screen is warning you that you should beware of cars and neighbors’ dogs — and avoid walking into walls. However, those may be the least of users’ worries when using the app.

Pokémon Go is one part game, one part augmented reality, and one part fitness tracker. You see, the Pokémon are “living” in the world we call Earth, and you need to use your GPS location to discover them, head to gyms, or find other Pokéstops. Heck, the app warns you about all this on the initial load screen.

Earlier this week, police in Missouri reported that they had apprehended four suspects who had used the beacon function of the app to lure people to a specific place. Once the players reported to the designated spot, the group allegedly robbed them at gunpoint. Similar scenarios have been reported in neighboring counties as well.

A user in Wyoming stumbled upon a dead body while trying to add to her Pokémon collection.

Pokéstops

Outside of crime, the beacon feature has become problematic for some police. One station in Australia became a Pokéstop, and users walked into the station trying to collect their goodies. The officers there took it in stride, noting that users needed only to be close to get their goodies and that they did not need to come inside.

Although the focus of the game is to catch ’em all, the case of the Australian police station highlights how becoming a Pokéstop could turn into something of a headache in public places and for business owners. How would you like to be this unsuspecting homeowner, whose house was labeled a gym in the app? Players of the game are showing up at his home to compete against other users at all hours of the day — and according to his tweet, there is no way to stop it.

Cybercrime

As with many big events such as the Olympics, World Series, or Euro 2016 Championship, cybercrooks tend to follow trends and get themselves in a position to profit from unwary victims.

When Pokémon Go went instantly viral, it also became a target for cybercrooks. My colleague Chris noted yesterday on Threatpost that there was a malicious version of the app for Android that could give criminals a backdoor into infected users’ phones.

It’s unfortunate, but some people still download apps outside of the appropriate places. It was nice to see that the makers of the game reiterated the importance of downloading the official app and not a knockoff.

If your kids are looking to access Pokémon Go, we’d advise you to remind them of the critical importance of using the official stores for their devices — the App Store for Apple iOS devices and the Play Store for Android.

Our experts’ take

“The use of popular online games as a vehicle for installing malware is well known, so it is likely to be only be a matter of time before programs such as the one reported in the media are released on unsuspecting consumers.  The best way to protect yourself and your device is to only install apps from official app stores and to complement this with an appropriate security solution. Don’t take short cuts, disable device security or download software from an unverified source; it’s just not worth it.” — Vladimir Kuskov, Security expert at Kaspersky Lab

Kaspersky Lab products (like Kaspersky Internet Security) detect this malware as HEUR:Trojan-Spy.AndroidOS.Sandr.a.

Data for you, data for you, everybody gets DATA!

As with any app, you need to be aware of what you are sharing with the makers of the app. This is no different with Pokémon Go. One of the default login options the game offers is to use your Google account credentials. If you are a user of iOS, you may notice that the app asks for full access to your Google account.

Search Engine Journal does a great breakdown of what that means for Apple users. The post is worth a read, particularly if you haven’t signed up yet.

Update: Google, Niantic to limit data Pokemon collects – via Threatpost

Regardless of platform, consider carefully — for your and your family’s safety — that when you log in and give access to your Google account, you are entrusting an enormous amount of personal data to the app developer. Not only may the developer want to use that data for other purposes, but it may also become the target of a hacking group looking to access valuable Google data. This possibility is especially scary given that children (and not just kids at heart) use this app.

Have fun

I hope that this post didn’t scare you aware from the game. Rather, the intention was to educate you on the things that are lurking out there looking to take advantage of people hopping onto a fad.

At Kaspersky Lab, we want everyone to have fun and be safe. It’s our job to learn about trends and give you the best information about them so that you can make educated decisions about what is best for you and your kids. We also hope that if you have kids looking to play Pokémon Go that we can lend an extra voice and support to teach the future generation of digital natives safe ways to be online.