A new app has been discovered on Google Play store, called ‘Guide for Pokémon Go’ capable of seizing root access rights on Android smartphones and using that to install/uninstall apps and display unsolicited ads.
According to Kaspersky Lab experts, the app has been downloaded more than 500,000 times, with at least 6,000 successful infections. Kaspersky Lab has reported the Trojan to Google and the app has been removed from Google Play.
‘Guide for Pokémon Go’ trojan has uncovered malicious code that downloads rooting malware, securing access to the core Android OS for the purposes of app installation and removal as well asthe display of advertising.
The trojan includes some interesting features that help it to bypass detection. For example, it doesn’t start as soon as the victim launches the app. Instead, it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual machine. If it’s dealing with a device, the trojan will wait a further two hours before starting its malicious activity. Even then, infectionis not guaranteed. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.
This approach means that the control server can stop the attack from proceeding if it wants to – skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. This provides an additional layer of protection for the malware.
Once rooting rights have been enabled, the trojan will install its modules into the device’s system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user.
Kaspersky Lab analysis shows that at least one other version of the malicious Pokémon Guide app was available through Google Play in July 2016. Further, researchers have tracked back at least nine other apps infected with the same trojan and available on Google Play Store at different times since December 2015.
Kaspersky Lab’s data suggests that there have been just over 6,000 successful infections to date, including in Russia, India and Indonesia. However, since the app is oriented towards English-speaking users, people in such geographies, and more, are also likely to have been hit.