News: Security experts warn of DroidJack malware on infected unofficial app.
Usually CBR reporters are digitally diligent, aware of the risks from downloading unofficial apps. However, the lure of Pokémon Go proved too much, with Editor Ellie Burns and reporter James Nunns potentially putting their digital lives at risk.
This is because CBR’s Burns and Nunns and part of a growing number of people who are ‘sideloading’, or installing outside the official app store, the popular augmented reality game. According to security researchers, this may have resulted in the downloading of an infected version of the app which contains a backdoor called DroidJack. Explaining just how the dangerous the backdoor could prove to be, Kevin Epstein, VP, Threat Operations Centre at Proofpoint, said:
“DroidJack gives attackers complete access to mobile devices including user text messaging, GPS data, phone calls, camera—and any business network resources they access. This makes both the practice of side-loading applications (downloading apps from unofficial app stores) and the presence of apps like the malicious version of Pokémon GO especially concerning. Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never recommended. Even though this malicious app has not been observed in the wild, it represents an important proof of concept: namely, that cybercriminals can take advantage of the popularity of applications like Pokémon GO to trick users into installing malware on their devices.”
Consumers have been warned to avoid downloading apps from any stores other than the Apple App Store and Google Play, with many other stores failing to have the security controls to prevent hackers from taking advantage.
Tyler Reguly, Manager of Software Development at Tripwire, argued that this instance of hackers seizing on the latest trend is an example of the inherent flaws of software distribution, combined with the social pressures for consumers not to be late to the newest fad. He said:
“I think, in many ways, this comes down to a problem with software vendors and their approach to distribution. It's an issue that's mimicked in media distribution and comes down to two main issues, globalization and the "me first" attitude of Millennials and Generation Z. Media, regardless of the format, is distributed on a per-country or per-region basis rather than globally, yet online discussions happen at a global level and seeing the positive reviews of others forces that "me first" attitude to kick in, "I must try it at any cost." The result is people download movies, music, books, and games from a variety of sketchy sources. The websites hosting this content are often plagued with drive-by attacks and malware, incorporating this into the actual download is a logical expansion.
“Had Pokémon Go been released globally (since people everywhere are playing it), no one would have felt the need to visit third party sites to acquire the APK.”
According to App Annie, Pokémon Go is on course to make $1 billion a year, with users across the world vying to ‘catch ‘em all’. However, the lure of the popular game may have resulted in impatient users catching malware, with CBR’s Ellie Burns and James Nunns potentially catching more than Pikachu and Bulbasaur.