News
How Pokémon fever is making security experts feel sick
July 2016 by Nordic IT Security
Our content director Maaike Gerritse takes a look at the biggest hit at the moment, Pokémon GO, and analyses what the implications are for IT Security worldwide.
Pokémon GO is the summer hit of 2016 with an estimated 75 million downloads to date and has been causing quite a fuss as people claim it is quite easy to steal valuables or even identities through the app.
But before we go there, let’s start at the beginning: what the hell is Pokémon Go and where is all this fuss coming from?
Pokémon is making its comeback through Pokémon GO, and boy it is a successful comeback! It only took the game 13 hours to reach the top of the highest grossing app chart in the US. It is the biggest entry into the mobile space, with being on the verge of overtaking Twitter in terms of daily active users on Android devices. Simply put, Pokémon Go uses GPS and time to detect where you are and at what time of the day and based on that makes Pokémon appear in your surroundings. It is then your goal to catch them. The game stimulates you to go out there and travel to catch different Pokémon. The combination of the game and augmented reality is a truly revolutionary way of stimulating people to get out of the house if you ask me! But where does all the negative publicity come from?
Google full access
A wave of panic hit after people received a warning that they have given full access to everything in their Google account. It only affected players who signed up to play the game using their Google account on Apple devices. The issue comes from an outdated version of Google’s shared sign-on service, leading Google to warn users that the app had full access to their accounts. In reality, it does not mean that the developers of the game will be able to control emails, access your Drive and review browser and maps histories. It turns out that only basic permissions are granted to the app and the wording of full access is just a very unfortunate one.
Malicious versions circulating the web
The Google access scare is not the only thing that has attracted extra attention from the security industry. Malicious versions of the game are already circulating which are infected with a remote access tool, giving attackers full access over your phone. The massive attention on social media is causing so much enthusiasm that many Pokémon fanatics do not want to wait to play the game until it is rolled out in their countries, and therefore download the game from third parties. The malicious game hasn’t reached the Google app store, but it is still a very real threat.
Geolocation manipulation
Besides malicious versions of the game, criminals go even as far as manipulating the app’s geolocation feature to lure victims to a predestined spot to rob them. By adding a beacon to a so called pokéstop, players can fairly easy be lured to a specific location. All the robber needs to do is wait them up there and do his thing. In Missouri a case has been reported of an armed robbery, making use of this technique.
So yes, Pokémon GO comes with security issues and must be played with healthy dose of common sense. But as a 90s kid myself, I can’t do anything else than absolutely share the Pokémon fever. All I know, is that I will wait patiently for the official non-malicious version to come out ;)
Make sure you don’t miss out on Nordic IT Security this year, delegates can get a ticket free by registering here > http://bit.ly/29B3UZ0
