Pokemon GO Catches a Ton of Personal Info

The cultural phenomenon known as Pokemon GO has already become a criminal’s present on a platter, because it collects a scary amount of personal information from the user.

The augmented reality game was first released in Australia and New Zealand on July 4th and was released in the United States right after—and in those scant few days it has grown to be an obsession for millions. The game works with Google Maps, overlaying Pokemon gyms, beacons and the Pokemons themselves onto maps of neighborhoods. As users move around in the physical world, they collect and fight the Pokemon they run across. It’s sparked many to get out and walk around, which is a good thing—but something this popular always has a downside in the form of presenting a wide, attractive threat vector for hackers.

Pokemon Go’s creator, Niantic Labs, began by having full access to the collector’s Google account if he or she used it to log into the game from an iOS device. That full account permission means that Niantic had access to all information, including email, contacts, photos and documents, as well as the ability to post, delete and send things from an account.

Niantic said in a statement that it did not use that access for ill and that so far it has accessed only user IDs and email addresses. But of greater concern than what Niantic might do with the captured information is how secure its servers are; a successful hack could lay open millions to compromise.

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account," the company said. "Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access." The update was released today.

But even outside of the iPhone problem, Pokemon Go taps into all kinds of info, including the phone's GPS information. That includes location history, current location, to the amount of time someone spent in a given place, geolocation data and more—all of which is ultimately stored by the developer.

Worse, a look at the game's privacy policy shows that it gathers personal email addresses, birth dates and privacy settings: "During gameplay and when you (or your authorized child) register to create an account with us ... we'll collect certain information that can be used to identify or recognize you (or your authorized child) (PII)," the policy states. "Specifically, because you must have an account with Google, Pokémon Trainer Club ("PTC"), or Facebook before registering to create an Account, we will collect PII (such as your Google email address, your PTC registered email address, and/or your Facebook registered email address) that your privacy settings with Google, PTC, or Facebook permit us to access."

The company said that it may also log the Internet Protocol (IP) address of the user's computer, the web page they visited before clicking on Pokemon Go, and what pages and search terms they used on the site, among other data.

“Mobile apps are notorious for requesting excessive permissions—something that users should scrutinize whenever installing a new app,” said Javvad Malik, security advocate at AlienVault, via email. “However, in this case, it appears as if it was a failing on behalf of Google in allowing an app to not only request admin privileges, but doing so without displaying a prompt to users. An issue that apparently Google is seeking to fix as soon as possible. However, it does beg the question whether or not other not-so-popular apps have been able to sneak under the radar in the past.”

Of course, the popularity of Pokemon GO represents other security risks. For instance, a malicious version of the mobile app was released into the wild just 72 hours after the game debuted.

Coinciding with the game’s release were tutorials for "side-loading" the application on Android—likely to offer those in countries where the app has yet to be released a way of getting in on the action. Not long after that, Proofpoint researchers discovered an infected Android version, with a specific APK that has been modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT). It gives an attacker full control over a victim’s phone.

“Likely due to the fact that the game had not been officially released globally at the same time, many gamers wishing to access the game before it was released in their region resorted to downloading the APK from third parties,” Proofpoint researchers said. “Additionally, many large media outlets provided instructions on how to download the game from a third party. Some even went further and described how to install the APK downloaded from a third party.”

Unfortunately, this is an extremely risky practice.

“Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never advisable,” the researchers noted. “Official and enterprise app stores have procedures and algorithms for vetting the security of mobile applications, while side-loading apps from other, often questionable sources, exposes users and their mobile devices to a variety of malware. As in the case of the compromised Pokemon GO APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk.”

The infected Pokemon GO APK has been modified in such a way that, when launched, the victim would likely not notice that they have installed a malicious application. The startup screen from the infected Pokemon GO game is identical to the legitimate one. But users can check whether a device is infected by checking the installed application’s permissions. That’s done by going to Settings -> Apps -> Pokemon GO and then scrolling down to the permissions section to see if there are any excessive rights granted.

Photo © Syafiq Adnan/Shutterstock.com

What’s Hot on Infosecurity Magazine?