Here’s one reason why you shouldn’t download Pokémon Go APKs

11 Jul 2016

If you’ve been tempted to download one of the many Pokémon Go APKs out there because it’s not yet available in your country, then you might want to think again after a recent discovery.

It may still be only a matter of days since it was released, but Pokémon Go can call itself a phenomenon at this point, with it becoming one of the most downloaded apps of recent times, surpassing even Tinder on Android in the US.

The only problem, however, is that, at least for the moment, it’s only available in a limited number of countries, specifically, Japan, the US and Australia.

Beware the APKs

While people in these countries have been reporting massive gatherings of people hunting augmented reality (AR) Pokémon, and even the discovery of a body by accident, those in the rest of the world where it’s not available are anxious to get their hands on it.

So anxious, in fact, that dozens of mirror versions of the app have appeared in the Android operating system – known as Android application packages (APKs) – that offer those in Ireland and elsewhere the ability to play it right now.

Unsurprisingly, they have proven popular, but, like any trending app that people are clambering to get their hands on, people are now looking to take advantage of them.

According to the security research firm Proofpoint, there is at least one Pokémon Go APK out there that, when downloaded onto your Android device, provides a backdoor for hackers to gain remote access to it and any details you have stored on it.

Pokémon Go app

The highlighted sections of the app permissions screen grab shows the Droidjack version. Image via Proofpoint

A warning

Called Droidjack, the malware has been in existence for some time now, but this one discovery of an APK coded with it shows that users are potentially vulnerable to being taken advantage of.

After all, in order for someone to download it, the owner of the device needs to turn off the security features that prevent software not found on the Google Play Store being downloaded.

However, in this instance, anyone who has downloaded an APK and is now fearful that their phone may be infected can rest a bit easier knowing that the malware-infected version found by Proofpoint was not ‘out in the wild’, with no reports of infection just yet.

Additionally, the server in which extracted information would be sent appears to be located in Turkey but was not accepting any information during testing.

So, in this case, the discovery is acting as a warning for eager players in the rest of the world, but if people are afraid they may have downloaded a malicious version, there is a simple check to make sure.

Only a few days until global release

While not downloading any APKs would be the optimal choice, those who have may want to check the app permissions they granted the app to have, with immediate flags being ones that request access to your connectivity and messaging.

This information can be accessed in ‘Settings’, followed by ‘Apps’ and finally by tapping on the Pokémon Go app.

In its conclusion, the security firm said of anybody looking to download the APK: “Just because you can get the latest software on your device does not mean that you should.

“Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.”

While this might remain just a threat for the moment, real damage has already been caused by a group of teenagers in the US who were allegedly found to be using the app to lure players to one location, whereby they would then threaten them and steal their possessions.

Pokémon Go app image via Randy Miramontez/Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com