Pokemon Go has a huge security risk and can even contain malware
If you're a Pokemon Go player, you're going to want to pay close attention to this.
It looks like armed robbers aren’t the only thing Pokemon trainers have to be wary of during their Pokemon Go adventure. That’s because your version of Pokemon Go could be filled with malware and security risks.
Niantic has stopped the global rollout of Pokemon Go due to its unstable servers, leading many outside of regions where the game has launched to side load it to their mobile device by downloading it online, rather than through the official App Store or Google Play Store. Unfortunately, hackers are taking advantage of the current Pokemon Go craze by sneaking malware into these files.
This information comes from Proof Point who has discovered a remote access tool called DroidJack hidden within on Pokemon Go APK, which is capable of giving a hacker full access to your phone. If you downloaded the Pokemon Go APK outside of the Google Play Store, you should check to see if the following permissions have been granted:
In addition to the possibility of malware, it appears the Pokemon Go app itself is a huge security risk as it’s been discovered both the iOS and Android version of the game request full access to your account, instead of just your email address. That means Niantic has all of the information that you’ve put into your Apple and Google account without even realizing it, which could potentially become a big issue if the company were ever hacked. In fact, the company could read all of your email, send email as you, have full access to your Google Drive, access your private photos, and much, much more.
As of now, those who play Pokemon Go should revoke all access the game has to your Apple ID and Google accounts considering the risk Niantic is putting us all in. Hopefully the company will update the game to only access the minimum amount of information, or else millions of people will continue to have their full accounts available to Niantic without even realizing it.
-
Shacknews
replyDaniel Perez posted a new article, Pokemon Go has a huge security risk and can even contain malware
-
-
-
Shacknews, I like you. However, this is some Fox News level FUD shit.
-
No it's not. Mobile software is generally a huge security risk. People think "oh cute, an app" and don't check the permissions they're giving the software.
As a PC user, would you download some dodgy .exe off the Internet and run it without even scanning it for viruses and malware?
-
-
1 Weird Trick To Catching Them All. Your Local Gym Leader Hates This!
-
Don't read the article, ignore the clickbait (again? this is like the second or third one I've seen the past few months.)
People who were desperate to get the APK for Android when it wasn't rolled out in their region yet downloaded from alternate sites, and some of these may have been contaminated with bad code. aka, clean that off your phone if you have it, and grab the Google Play version just to be sure.
iPhones are not affected.
POKEMON GO ITSELF DOES NOT HAVE ANY MALWARE.-
Or.... DO read the article, and then read this, because this is the security hole it's talking about: http://www.shacknews.com/chatty?id=35180681
-
[deleted]
-
Oh yah well you're a security hole >:(
-
-
-
-
-
-
So is logging in through Google more stable than the Trainer login thing?
-
-
-
Hahah considering what a piece of shit the app is I'm really not surprised that something like this is true. Never attribute to malice what can be explained by incompetence though.
-
lol Android
-
-
Android makes it possible.
-
-
to be fair that's one reason people increasingly don't
-
-
it's a problem for hundreds of millions or more in China and India. It's also an attack vector for a legitimate looking app in the store to disable.
-
-
-
-
For those who didn't read
...it appears the Pokemon Go app itself is a huge security risk as it’s been discovered both the iOS and Android version of the game request full access to your account, instead of just your email address. That means Niantic has all of the information that you’ve put into your Apple and Google account without even realizing it, which could potentially become a big issue if the company were ever hacked. In fact, the company could read all of your email, send email as you, have full access to your Google Drive, access your private photos, and much, much more.-
WTF does "access to your Apple ID" mean? You need to give permission for everything it's trying to access on iOS and the only things it needs is location and camera. If you use your Google account to log in, well, that's on you.
-
a convenient sentiment to absolve bad actors of their sins (not that this case is necessarily anything more than an oversight)
-
[deleted]
-
They allow you to log in with your gmail account without using the oauth workflow????
-
[deleted]
-
That's pretty weird, you have to submit the permissions form before the server will generate an access token.
I wonder what they are doing.-
[deleted]
-
huh, wtf, I guess they don't ask you for permissions if the requesting app says it needs all the permissions? That's pretty fucked up, to be honest. This is just as much Google's fault as whoever made this Pokemon app.
-
[deleted]
-
You're probably right about them using an undocumented API. Google should lock their shit down because it constitutes a pretty big security hole.
-
[deleted]
-
Yea, but Google should confirm each permission with the end user before granting access.
-
[deleted]
-
[deleted]
-
-
[deleted]
-
-
-
-
-
-
-
-
-
-
-
[deleted]
-
-
[deleted]
-
[deleted]
-
[deleted]
-
-
-
[deleted]
-
-
best bet is to just not install it and continue living life
-
Went to my google account settings and didnt find the game in the connected apps list; although i signed in using my google id
-
-
[deleted]
-
-
[deleted]
-
-
[deleted]
-
-
-
-
-
same experience here - nothing at all shows up on my app permissions from android
-
-
So I'm not sure what they're doing and I signed in through the Pokemon Trainers Club so I'm not affected but here's some explanation on what may be happening (which virus or some other GoogleShacker might put the smack down on me if I get it wrong)
So it's been this trend for years now that you don't host your own login form, you embed the login form from the provider and use OAuth or OpenID or whatever and then the provider tells you if it worked or not and you let them in. This is the case even for native apps on phones and Windows.
Depending on the needs of your app, you can either use it solely for authentication, or you can ask for access to things from the Google account. So for example if your app is a calendar app you would ask for access to the Google Calendar for the account and then you have access to the Google Calendar API's and so forth.
The part that's weird to me is that usually the end user is shown a screen that asks what the app can have access to. This article indicates that this is being skipped somehow.
If this is the case then it's my guess that the developer just screwed up and had the app asking for everything while developing it and just flat out forgot to dial back the permissions before launch. Or in the final push to finish. It's bad practice but it's not unheard of to get really far in development and then completely forget about some early debugging band-aid you put in place.
I think Google has the power to revoke the app's key until they get their shit together (this may have already happened based off of what people are seeing) but I doubt this is malice so much as a mistake.
-
