How to avoid Pokemon Go malware
Installing the wrong app could lead to a bigger battle than trying to take over the gym down the street.
Pokemon Go is a mobile phenom unlike anything we've ever seen. Players are going out with the augmented reality app on their phones, finding Pokemon all over the real world. They are also finding themselves in shady situations, stumbling across a dead body and (on the positive side of things) making new friends.
There's another troubling thing associated with the game: Android malware.
Security experts Proofpoint discovered the DroidJack malware embedded into a version of Pokemon Go downloaded outside of the Google Play Store. So, if you side-loaded a version of Pokemon Go -- a particular problem in parts of the world where the game isn't yet officially available -- you might have installed some malware with it.
The compromised version of Pokemon Go Proofpoint analyzed looks and acts just like the real app. But it requests extra permissions and has malicious code added to it -- permissions an excited player would likely overlook during the install process. The end result is loading an application on your Android device that has the ability to take control of your phone or tablet.
Some side-loaded versions of Pokemon Go were deemed safe -- such as the one CNET covered -- but, in general, it's better to be safe than sorry.
How can I avoid Pokemon Go malware?
Wait for the app to officially launch in your country. I know, I know, that amounts to torture; I'm sorry 'bout it.
Installing from unofficial channels requires you to turn off security settings designed to keep your information and device secure. For example, to install any app from an APK site you need to allow app installs from untrusted sources (Settings > Security > Unknown Sources). This setting specifically prevents app installations from outside of Google Play, and by turning it off you're potentially exposing your device to malware-laden apps that appear legit.
Granted, there are some APK websites that do everything to cover their bases and ensure the APKs listed on the site are legit copies of the Play Store version, but bad guys like to figure out ways around such processes.
In short: Be patient and just be thankful you don't have to deal with the continuous server errors suffered by Pokemon Go users where the app is available.
How do I know if I installed a malicious version of Pokemon Go?
If you just couldn't wait and installed Pokemon Go from an outside source, Proofpoint suggests checking the app's requested permissions. On your device, open Settings > Apps > Pokemon Go > Permissions. According to the post, the specific version of malware the company examined requested permission for tasks such as record audio, modify contacts, read your web history and run at startup. The complete list is included in Figure 2 and Figure 3 on this post.
If you discover the app you've installed lists extra permissions, uninstall the app right away.