NEWS ANALYSIS: While there’s nothing wrong with Nintendo’s Pokémon Go game itself, its popularity and number of crazed users raise the threat level significantly as vulnerabilities expand.
By now you’ve heard the chaos that accompanies Nintendo’s wildly popular augmented-reality game, Pokémon Go. You’ve heard about people who walk into immovable objects or off cliffs. You’ve heard about the Maryland driver so caught up in his game while behind the wheel that he slammed into a parked police car.
The game is so popular that the only things that are knocked it off the front pages are Donald Trump and the Republican National Convention. But what you probably haven’t heard is the full extent of the threats posed by random Pokémon gamers and those who want to exploit them.
To some extent, the rising threat levels are a result of the game not being available everywhere, the rapid adaptability of malware distributors and, most prominently, the remarkable degree of user cluelessness. But regardless of the cause, businesses now have to deal with the consequences. Unfortunately, those consequences can be significant.
In my previous column about Pokémon Go, I introduced you to a malware package named DroidJack, which basically lets the person controlling the malware control the Android phone it’s running on. The malware provides complete control of every aspect of the phone, including installing and running apps without the owner’s knowledge or permission. DroidJack, it seems, is a threat to the enterprise network as well as to individual mobile device user.
According to Kevin McNamee, director of the Nokia Threat Intelligence Lab, anyone can buy the DroidJack malware for $210 from the DroidJack public Website. The slickly produced site provides everything the aspiring malware distributor might want, including a detailed video tutorial on how to make it all work. It should be noted that the company selling the malware takes pains to refer to it as management software that will allow parents to track their children or companies to track their employees.
“You get a graphical user interface and a builder, which can build a native APK file, or you can bind DroidJack to an existing app,” McNamee explained. He said that this makes it possible to turn any Android app into a malware delivery system, but he noted that this works especially well with Pokémon Go because users aren’t necessarily thinking about security when they download and install it.
“This is the classic platform for an advanced persistent threat,” McNamee said. “They get a foothold and then scan around. They get into important computers, such as servers, and then exfiltrate information.”
Once an Android phone connects to the corporate WiFi, he said, it’s possible for it to scan the network for details about network resources and assets, names and users, and sometimes much more. That information can then be used for a subsequent phishing attack, which can then open the door for an assault on the company network.