Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Backdoored Pokemon GO App Infects Android Devices

DroidJack RAT Distributed via Infected Pokémon GO APK

DroidJack RAT Distributed via Infected Pokémon GO APK

Popular mobile games represent a productive attack vector for cybercriminals, and the Pokémon GO augmented reality Android game released last week is the most recent proof of that.

The first Pokémon game sanctioned by Nintendo for iOS and Android devices was released in Australia and New Zealand on July 4 and landed in the US on July 6, but the rest of the world hasn’t received it via official channels. Three days after arriving in the US, Pokémon GO became one of the most used apps in the Google Play Store, SimilarWeb data reveals. 

For cybercriminals, this represented a great opportunity and they were fast to take advantage of it: a modified Pokémon GO APK packing the malicious remote access tool (RAT) called DroidJack was spotted less than 72 hours after the game was officially released. The targets of this malicious game were users outside those three geographies, which were expected to head to third-party portals to grab it.

It’s not uncommon for users to turn to third parties to grab an application or game unavailable in their area, especially when many publications provide details on how the side-loading can be done. However, apps downloaded from unofficial portals often carry hidden risks, the main reason for which users are always warned against this practice.

In the case of Pokémon GO, the attackers were very quick about it: they created a malicious APK within three days after the initial launch, taking advantage of the hype surrounding the official game. However, those installing this program from a third-party might have been warned of its malicious intent if they paid close attention to the requested permissions.

The DroidJack (also known as SandroRAT) malware hidden within the APK requested some unusual permissions during installation, researchers at Proofpoint explain. These include permissions to read and edit text messages, make phone calls, record audio, modify contacts, read bookmarks and web history, connect to Wi-Fi, and to retrieve running apps at startup.

All of these permissions fall in line with the functionality previously associated with DroidJack, a mobile threat that has been around since 2014. The Trojan can steal user messages, call logs, contacts, browser history, and installed apps, and can also execute remote commands such as take photos, record videos and calls, send SMS, and more.

Released in Google Play as Sandroid in 2013, DroidJack was initially designed as a legitimate app that allowed users to control their PC from an Android device. SandroRAT first emerged in December 2013 on a hacker forum, but the DroidJack variant was announced only in June 2014. It was offered on its own site at $210 for a lifetime package, Symantec researchers revealed in Novermber 2014.

In October 2015, European law enforcement agencies staged a coordinated swoop on suspected users of DroidJack which bought the malware and used it in 2014 and 2015. In November 2015, researchers analyzed OmniRAT, an Android tool similar to DroidJack in that it was initially designed as a legitimate application for remotely controlling Android devices, but later became malicious.

According to Proofpoint, the Pokémon GO game was modified in a manner meant to deceive users into believing they have installed the real game, and both versions feature the same start screen. The good news is that the APK wasn’t observed in the wild, although the researchers did notice it in a malicious file repository service.

The security researchers also explain that the DroidJack RAT has been configured to communicate to the command and control (C&C) domain pokemon[.]no-ip[.]org over TCP and UDP port 1337. The C&C domain resolved to an IP address in Turkey (88.233.178[.]130), researchers say, adding that the IP was not accepting connections from infected devices at the time of the analysis.

Although the infected Pokémon GO APK wasn’t observed in live attacks, it represents the perfect example of why users should always download applications only from trusted sources. Cybercriminals keep a close eye on trending applications and games and will definitely prey on their popularity to carry out their nefarious activities.

“Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never advisable. Official and enterprise app stores have procedures and algorithms for vetting the security of mobile applications, while side-loading apps from other, often questionable sources, exposes users and their mobile devices to a variety of malware,” Proofpoint researchers say.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.