At FortiGuard, we wouldn't let you down without an analysis of
Pokémon Go. Is it safe to install? Can you go and hunt for Pokémon, or
stay by a pokestop longing for pokeballs? While this article won't
assist you in game strategy, I'll give you my first impressions
analyzing the game.
Versions
There are two sorts of Pokémon applications:
1. The official versions, issued by Niantic.
We will talk more about these later, but in brief, they are not malicious.
2. The hacked versions. These are also
known as "mods", which are issued by other developers, for multiple
reasons. It is in this category we are the most likely to encounter
malware. For instance, a repackaged version infected with DroidJack RAT
has been identified to be in the wild (see analysis below).
15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
However, not all hacked versions are necessarily malicious: we
inspected hacks to play on Android 4.0 (the minimum requirement is
normally 4.4), or to modify GPS coordinates, neither of which showed any
malicious intent.
baf0dc2e19c6ec9ebfc2853785e92e175064c522a82410c2e56e204fad156838 4d482cf9beef8d4f03a6c609025fc6025069c0c83598032e46380d23a75f1979
Besides manual inspection, we also sent those samples to our learning-based Android prediction engine, SherlockDroid / Alligator, which confirmed our analysis ;)
Risk #1 Installing an infected version
As mentioned earlier, a sample with sha256
15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
is infected with Android/SandrC.tr, dubbed DroidJack RAT.
This is a known malware, for which we have had a signature since
2015. Therefore, Fortinet customers were protected from this malicious
Pokémon app from the beginning :)
This malware is quite widespread. Internal statistics at Fortinet
indicate more than 8,800 detections in a year, and 160 last month alone,
but those figures are largely underestimated for various reasons,
including the fact that reporting is not enabled by default. So,
basically, what you should remember is that this malware is still in the
wild and active currently.
More malware to come?
Yes, very certainly. Malware authors are likely to continue to
re-package the game with a variety of malware and distribute it. The
fact the game wasn't released in all countries at the same date, for
example, (thus forcing impatient users to look for alternatives on the
web), combined with the fact there are large game hacking (that's nice)
and cheating (that's bad ;) communities only increase the potential for
downloading an infected version of the game..
Risk #2 Full Google Account Information? (This is fixed)
Adam Reeve noticed that the game requested full access to your Google account. Note: we are not talking about an Android permission here but a permission of an app connected to a Google account.
This was an error and Niantic fixed this. So be sure to remove the permission from your account and upgrade your Pokémon Go application.
Finally, note that it is not extremely clear in the documentation
exactly how much "full access" really means, but no malware or exploit
of this has been reported so far.
Risk #3 Unwanted network traffic
In a perfect world, we'd expect games to only send packets over the
network that are absolutely necessary for the game to run, such as your
location, the details of Pokémon around you, etc.
However, this is very far from reality, and for years now most
Android applications are bundled with third party kits (analytics, crash
reporting, cross platform engines, etc.) which use up the bandwidth
which send and receive more or less useful side information containing,
in the best cases, the exact model of your smartphone, or in the worst,
personal information such as your phone number and other private data.
Pokémon Go is one of these bandwidth hungry applications. I
downloaded it two weeks ago, and it is already close to being the most
greedy application on my phone...
For mobile users, the consumption of bandwidth is a real issue.
On average, 24% of an application's traffic is for third party tracking
and advertising services. For some applications, the rate rockets to
98%.
While the percentage of side traffic for Pokémon Go hasn't been
measured precisely, given the number of third party functionality it
includes, I wouldn't be surprised if it isn’t well above 50% ;)
Here is a list of what version 0.31.0 contains:
- Crittercism - now called Apteligent - is a mobile application "performance management solution"
- Dagger is a "fast dependency injector"
- Android support libraries: those are common to nearly all Android applications
- Apache commons I/O
- Unity 3D: that's the game engine Pokémon Go heavily relies on
- Space Madness Lunar Console: this is a "lightweight Unity native iOS/Android logger"
- Google Ads
- Google GSON
- Jackson XML: this is the JSON library for Java
- JNI bridge
- Upsight: a mobile analytics and marketing platform
- Google billing
- Square Otto: an event bus
- Voxel Busters: with "cross platform native plugins"
- rx for Reactive programming
Along with such "not-so-essential" network traffic to third party
servers also comes common leaks. While we expect Niantic Labs and Unity
3D (game engine) to access our geographic location (to locate Pokémon
and pokestops), perhaps we shouldn’t expect apps like Crittercism,
Google Ads, Jackson XML, or Upsight to retrieve our location?
The disassembled code also shows that Voxel Busters is building the
full list of our phone's contacts (see figure below). They access the
display name, phone number, phone and email of all contacts. The list is
then compiled into a JSON object and sent to a function named
UnitySendMessage, which is then exported by a Unity shared library
(libunity.so) where it is dispatched to another function, and where I
currently lose its track. Are contacts sent to remote servers? This is
not confirmed yet, but is of some concern.
So, yes, you need to know that while you play Pokémon Go you send
your geographic location, along with other details (e.g network operator
name, phone brand, etc.), to several remote servers, and you "pay" for
this side traffic through bandwidth consumption. Unfortunately, this is
increasingly true for nearly any game found in application stores
nowadays...
Risk #4 Spoofed Pokémon map or activity
The Pokémon Go application communicates with Niantic servers via
HTTPS (see image below). Even better, in version 0.31.0, Niantic
introduced certificate pinning to ensure that applications exchanged information with the real Pokémon servers and not with others
Initiating a TLS handshake with Pokémon Go servers
However, when certificate pinning is not active, an attacker can
perform a MITM attack and thus completely modify the game for victims.
For example, rastapasta managed to customize pokestops!
A malicious person can easily imagine other customizations, such as
displaying an infected link in a pokestop, or directly injecting
infected traffic. While such attacks are probably feasible, they are
tricky, and the attack would only operate on the network where the
Pokémon Go MITM proxy is setup.
Conclusion
- The Pokémon Go application is not malicious.
- It is no longer possible foe the application to fully access your email. It was a risk with an older version, but hasn't ever been demonstrated.
- There are currently versions of Pokémon Go in the wild repackaged
with malware, and I expect more to come. Consequently, if you are not
retrieving your applications from a safe application store I recommend
you check its SHA256 hash against the official one, or scan the
application with an anti-virus tool.
- Like most applications nowadays, Pokémon Go (or the third party
apps it uses) exposes your privacy and implies unwanted network traffic.
- Niantic has obviously paid attention to securing access to its
gaming servers. However, locally, MITM proxy attacks remain possible by
skilled attackers.
Keep Posted
By: Axelle Apvrille Anti-Virus Malware Researcher, FORTINET
PRC, Inc.
Unit 206 State Condominium IV
Ortigas Ave., Greenhills San Juan M.M.
CP # 0998-9613729 * 0925-8198206
Telefax# 02-7250237 * 02-4708535
alvin.marayanprc@gmail.com
