Badware purveyors trying to capitalize on the ongoing Pokémon Go frenzy have achieved an important milestone by sneaking their fake wares into the official Google Play marketplace, security researchers said Friday.
Researchers from antivirus provider Eset report finding at least three such apps in the Google-hosted marketplace. Of the three, the one titled “Pokemon Go Ultimate” posed the biggest threat because it deliberately locks the screen of devices immediately after being installed. In many cases, restarting an infected phone isn’t enough to unlock the screen. Infected phones can ultimately be unlocked either by removing the battery or by using the Android Device Manager.
Once the screen has been unlocked and the device has restarted, the app—which by now has the title PI Network—is removed from the device’s app menu. Still, it continues to run in the background and surreptitiously clicks on ads in an attempt to generate revenue for its creators.
“This is the first observation of lockscreen functionality being successfully used in a fake app that has landed on Google Play,” Eset malware researcher Lukas Stefanko wrote in Friday’s post. “It is important to note that from there it takes just one small step to add a ransom message and create the first lockscreen ransomware on Google Play.”
Eset discovered two other fake Pokémon Go apps inhabiting Google Play, one named “Guide & Cheats for Pokemon Go” and the other “Install Pokemongo.” Both deliver ads carrying fraudulent, scary-sounding messages that are designed to trick users into buying expensive, unnecessary services. One such message claims the device is infected with malware and prompts the user to spend money to get the malicious apps removed.
“Every time the user presses the ‘Back’ button, new scareware pop-ups and advertisements appear,” Stefanko wrote. “The only way to get rid of them is double-clicking on the ‘Back’ button.”
The apps are by no means the first case of scammers attempting to exploit the ongoing Pokémon Go craze. Last week, researchers from security firm Proofpoint discovered a backdoored version of the Pokémon Go app for Android. It contained all the functions of the legitimate app, but behind the scenes it also included a remote access tool called DroidJack (aka SandroRAT), which gives an attacker full control over an infected phone.
The malicious app was available in third-party app stores. While many people rightly avoid such marketplaces because of the increased chances that they include harmful wares, some die-hard Pokémon fans have been tempted to suspend the taboo against sideloading because the official Pokémon Go hasn’t been available in many countries. The apps discovered by Eset, by contrast, were available in Google Play. Google removed them after Eset reported them. The continued presence of malicious apps inside the official Android marketplace underscores the significant limits of Google’s attempts to detect malicious or abusive behavior before admitting titles.
People who want to run Pokémon Go on their Android phone should download the app only from Google Play, and even then, they should closely inspect the publisher, the number of downloads, and other data for signs of fraud before installing.