Pokémon Go ‘App’ Hides Nasty Ransomware Surprise

Written by

Security researchers have discovered new ransomware masquerading as a Pokémon Go app which also creates a backdoor in the victim’s machine as well as attempting to spread itself via removable media.

The malware itself is an updated version of the Hidden Tear open source initiative, according to Lawrence Abrams at Bleeping Computer.

Discovered by researcher Michael Gillespie impersonating a Windows Pokemon Go app, the ransomware scans a victim’s drive and encrypts any file with a certain extension – as per usual.

However, there are some features which demand further attention.

“Most ransomware infections encrypt your data, delete itself, and then display a ransom note. The malware developers are there to do one thing; encrypt your files so that you pay the ransom,” explained Abrams.

“With this said, most ransomware typically do not want to leave any traces behind other than the ransom notes. The Pokemon Go ransomware acts a little differently as it creates a backdoor account in Windows so that the developer can gain access to a victim's computer at a later date.”

It’s not clear at this stage why the backdoor has been created, nor why the ransomware also creates network shares on the victim’s computer.

It has also been designed to copy itself to all removable drives before creating an Autorun.inf file so that it runs every time removable media is inserted into the computer.

Although the sample discovered by Gillespie is targeted at Arabic speakers – and most likely developed by an Algerian national – it is still in development, so we could see it reappear in a more battle-ready form in time.

Mark James, security specialist at Eset, warned that the backdoor could allow a hacker to remotely connect to a victim’s computer at a later stage to perform other malicious tasks.

“It’s currently targeted at Arabic victims but could easily be adapted for global use and we could see it modified and spread in other countries,” he added.

“Malware is constantly changing and the need to have a good multi-layered regular updating internet security product is a must these days if you want to keep safe. Keep your operating system and applications updated and on the latest versions and make sure you have some kind of backup to protect any data you can’t afford to lose.” 

What’s hot on Infosecurity Magazine?