The Pokémon GO hype isn’t over, and more cybercriminals are taking advantage of it. After a malware-riddled Pokémon GO app emerged over a week ago, researchers have also found a fake lockscreen app in Google Play under the name of Pokemon Go Ultimate.
The official Pokémon GO app is available in only a handful of countries, and cybercriminals are preying on users’ urge to play the game. Although listed as Pokemon Go Ultimate in the official storefront, the app appears under the name of PI Network once installed on an Android device.
When launched, the program freezes, effectively locking the device’s screen and preventing the user from using it. Because it doesn’t offer the possibility to unlock the device, the app forces the user to restart the device, sometimes by removing the battery or using the Android Device Manager.
After analyzing the malicious software, ESET researchers discovered that, after reboot, the icon for PI Network disappears and that the fake lockscreen program runs in the background, silently clicking on ads online to generate revenue for its operators.
In addition to Pokemon Go Ultimate, security researchers discovered fake applications such as Guide & Cheats for Pokemon Go and Install PokemonGo in Google Play and say that they were designed to deliver scareware ads, thus tricking users into paying for unnecessary services. When launched, these apps promise to generate up to 999,999 Pokecoins, Pokeballs or Lucky Eggs each day, but they don’t deliver on these promises.
Instead, as recently seen with bogus applications that promise thousands of followers on social networks, these apps require users to “verify their accounts” and trick them into subscribing to expensive bogus services. These apps also displayed fake pop-up alerts, some claiming that the device has been infected and needs to be cleaned.
“The virus removal masquerade is only one example of the apps’ scareware techniques. They can also download other applications, create surveys and display scam ads where the user has allegedly won prizes such as the new iPhone, Galaxy S7 Edge or even large amounts of money. The techniques deployed depend on the country where the user’s IP is being localized,” ESET researchers explain.
These applications have been already removed from Google Play, but not before being installed onto thousands of devices. Pokemon Go Ultimate had between 500 and 1,000 installs when removed, Guide & Cheats for Pokemon Go had between 100 and 500, while Install PokemonGo had between 10,000 and 50,000 installs.
In addition to the cybercriminals looking to leverage the success of the app to cash in on users’ naivety, there are those who would rather go for the company that released the game instead. In the case of Pokémon GO, a threat group called PoodleCorp claimed that it was responsible for bringing the game’s servers offline over the weekend.
The group posted on Twitter that it was successful in its attempt, but also said that this attack was only a test, and that “something on a larger scale” will happen soon. Apparently, the group plans a distributed denial of service (DDoS) attack on the Pokémon GO servers on August 1.
Attacks of the kind are not something new, nor for the group of hackers claiming to be behind them and brag about their plans.
“Pokemon Go has an extremely high profile, and any impact attributed to a specific attacker is going to drive publicity,” Tim Erlin, Senior Director of IT Security and Risk Strategy for Tripwire told SecurityWeek. “Attributing cyber attacks to specific groups or individuals is very difficult, especially with a distributed denial of service where the evidence is service disruption, rather than compromised information.”
In April this year, the group known as Lizard Squad caused a massive outage after hitting servers operated by Blizzard Entertainment with a DDoS attack. In December last year, a group called Phantom Squad threatened to take down PlayStation Network and Xbox Live on Christmas.
Related: Backdoored Pokémon GO App Infects Android Devices