Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 500K People Have Installed a Pokemon Go-Related App That Roots and Hijacks Android Devices (softpedia.com)

Posted by BeauHD on from the gotta-catch-em-all dept.

An anonymous reader writes: Over 500,000 people have downloaded an Android app called "Guide for Pokemon Go" that roots the devices in order to deliver ads and installs apps without the user's knowledge. Researchers that analyzed the malware said it contained multiple defenses that made reverse-engineering very difficult -- some of the most advanced they've seen -- which explains why it managed to fool Google's security scanner and end up on the official Play Store. The exploits contained in the app's rooting functions were able to root any Android released between 2012 and 2015. The trojan found inside the app was also found in nine other apps, affecting another 100,000 users. The crook behind this trojan was obviously riding various popularity waves, packing his malware in clones for whatever app or game is popular at one particular point in time.

9 of 57 comments (clear)

  1. Installed? by AmiMoJo · · Score: 4, Insightful

    Installed or downloaded? Android scans apps, even side loaded ones, during installation for malware. This app has been on the banned list for ages.

    So 500k downloads could equal zero installs.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Installed? by Anonymous Coward · · Score: 3, Informative

      Installed or downloaded? Android scans apps, even side loaded ones, during installation for malware. This app has been on the banned list for ages.

      So 500k downloads could equal zero installs.

      That's in the paragraph below the one quoted by TFA:

      The app, named Guide for Pokémon Go, made its way onto the official Google Play Store, from where over 500,000 users downloaded and installed it on their smartphones.

      Kaspersky says that telemetry data received from its security products found that at least 6,000 users had their phones rooted and under the malware author's control.

      If it roots on activation it's odd to say that there have been 500K installs but only around 6K roots. 500K downloads and attempted-installs maybe.

    2. Re:Installed? by geogob · · Score: 2

      No every Android phone with the installed app / root kit may have some Kaspersky security product delivering telemetry. This makes those numbers a bit difficult to interpret understand.

      I do not believe that both numbers (the 500k and the 6000) can be related and compared. In the end you can only conclude what is written in the text: at least 6000 phones are compromised, with the implicit knowledge that this number may be much higher, possibly in the 500 k range.

      An interesting information would be to know how many devices overall are monitored by Kaspersky (from which the 6000 infected device have been identified) and how many of those attempted to install the said app. A further interesting information would be the overall count of active individual devices on the Google Play Store in the time period where the app was available. These information would allow interesting cross comparison and possibly help to understand user behaviour in face of a product identified as potentially harmful.

      The information from Kaspersky may also be further biased by the fact that someone with such security products on their phone may have a different level of awareness for such risks as someone who doesn't.

    3. Re:Installed? by AmiMoJo · · Score: 2

      500k seems to be the number of downloads, so I'd imagine that between people who don't have side-loading enabled, who see the warnings during installation and change their minds, who have AV that blocks it, that got the Play update that blocks it or who have incompatible devices (there is no universal root exploit for Android, they are all kernel/bootloader specific) the number of infected devices is probably quite low.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. How did this get out, dammit! by Opportunist · · Score: 2

    Oh, you're not talking about the "genuine" variant?

    Oh. Never mind, carry on...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Gotta catchem all. by Anonymous Coward · · Score: 2, Funny

    Looks like they caught a "peekatyou".

  4. Malware by Oswald+McWeany · · Score: 4, Funny

    Malware, gotta catch 'em all.

    --
    "That's the way to do it" - Punch
  5. Ultimate Root App by scratchy_king · · Score: 4, Insightful

    The trojan roots all Android devices released between 2012 and 2015?

    Without needing to unlock the bootloader, install custom recovery, etc.?

    Awesome! Where do I sign up!?

  6. It Really Pisses Me Off by Anonymous Coward · · Score: 2, Insightful

    It really pisses me off that these apps can supposedly root Android and install all sorts of apps, yet trying to get root on my Galaxy is a convoluted game of Twister requiring the setting of permissions, installing special PC software, installing special (skecthy as fuck) boot loaders, custom (sketchy as fuck) recovery environments, and more.

    And, rooting Amazon fire tablets is either impossible or it's utterly bricked in the attempt.

    How is it that these bullshit apps can so easily get root and install hidden apps behind the scenes in a seamless single step app install?