If you haven’t heard of Pokemon GO yet, you should probably crawl out from under that rock and catch a rock-type while you’re at it! Yet to be released in India, this AR-enabled game has been downloaded by a large number of people here already from unauthorized websites hosting the APK. This version is usually the one that was released in Australia and New Zealand initially.
Within 72 hours of the release, a tampered version of the APK has been discovered being distributed via third party sources. This version gives hackers full control over your phone that includes the phone’s camera, text messaging, phone calls, GPS tracking and more.
Needless to say, this exposes a large number of users already playing Pokemon GO in India to being hacked without even knowing it as the altered version plays exactly the same as the original one. To download and install it, users need to enable third party app sources on their phone, which is recommended to be disabled by Google because there is no easy way to keep a check on malware on Android otherwise.
"Some of you might say, “Is it going to be that bad?" “What have I got to lose?", It’s not only you who is at stake here. By willingly turning off the security setting you are putting your entire list of the contacts at risks. They are equally vulnerable to cyber-attacks as the crooks now have a readymade list of victims to target – name, number, email IDs, facebook-Instagram usernames, you name it, they’ve got it. It doesn’t stop here. Your entire identity is at risk. Your corporate data is at risk. Because the crooks get power from you. They can only get access to the individuals and organisation through you" said Mr. Sunil Sharma, Vice President, Sales, Sophos India & SAARC
People who are now worried about having the malicious version of the app on their phones do have a couple of options at their disposal, as the cyber-security researchers who discovered this flaw have explained. First, they can check the SHA256 hash of the downloaded APK. As explained by the researchers, the malicious APK has a hash of 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4 while the original initial version has a hash of 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67.
Another way to check for the malicious app is to check the permissions granted by going to Settings->Apps->Pokemon GO and scrolling down to the Permissions section. If it contains permissions like “Directly call phone numbers” or “Record audio”, then it is the malicious version. A full explanation of these two checks can be found here.
Mr. Sunil Sharma also commented on the good practices to follow to avoid such risks in the future, as mentioned in the points below –
If you do have the app installed on your phone, we would advise you to check for the malicious version. And if you do find it, stay strong and uninstall it for your own safety. Have patience, Pokemon GO will officially hit the Indian shores soon enough.