Risks - or not - Behind Pokémon Go

At FortiGuard, we wouldn't let you down without an analysis of Pokémon Go. Is it safe to install? Can you go and hunt for Pokémon, or stay by a pokestop longing for pokeballs? While this article won't assist you in game strategy, I'll give you my first impressions analyzing the game.

Versions

There are two sorts of Pokémon applications:

1. The official versions, issued by Niantic.

We will talk more about these later, but in brief, they are not malicious.

2. The hacked versions. These are also known as "mods", which are issued by other developers, for multiple reasons. It is in this category we are the most likely to encounter malware. For instance, a repackaged version infected with DroidJack RAT has been identified to be in the wild (see analysis below).

15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4 

However, not all hacked versions are necessarily malicious: we inspected hacks to play on Android 4.0 (the minimum requirement is normally 4.4), or to modify GPS coordinates, neither of which showed any malicious intent.

baf0dc2e19c6ec9ebfc2853785e92e175064c522a82410c2e56e204fad156838 4d482cf9beef8d4f03a6c609025fc6025069c0c83598032e46380d23a75f1979 

Besides manual inspection, we also sent those samples to our learning-based Android prediction engine, SherlockDroid / Alligator, which confirmed our analysis ;)

Risk #1 Installing an infected version

As mentioned earlier, a sample with sha256

15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4

is infected with Android/SandrC.tr, dubbed DroidJack RAT.

This is a known malware, for which we have had a signature since 2015. Therefore, Fortinet customers were protected from this malicious Pokémon app from the beginning :)

This malware is quite widespread. Internal statistics at Fortinet indicate more than 8,800 detections in a year, and 160 last month alone, but those figures are largely underestimated for various reasons, including the fact that reporting is not enabled by default. So, basically, what you should remember is that this malware is still in the wild and active currently.

More malware to come?

Yes, very certainly. Malware authors are likely to continue to re-package the game with a variety of malware and distribute it. The fact the game wasn't released in all countries at the same date, for example, (thus forcing impatient users to look for alternatives on the web), combined with the fact there are large game hacking (that's nice) and cheating (that's bad ;) communities only increase the potential for downloading an infected version of the game..

Risk #2 Full Google Account Information? (This is fixed)

Adam Reeve noticed that the game requested full access to your Google account. Note: we are not talking about an Android permission here but a permission of an app connected to a Google account.

This was an error and Niantic fixed this. So be sure to remove the permission from your account and upgrade your Pokémon Go application.

Finally, note that it is not extremely clear in the documentation exactly how much "full access" really means, but no malware or exploit of this has been reported so far.

Risk #3 Unwanted network traffic

In a perfect world, we'd expect games to only send packets over the network that are absolutely necessary for the game to run, such as your location, the details of Pokémon around you, etc.

However, this is very far from reality, and for years now most Android applications are bundled with third party kits (analytics, crash reporting, cross platform engines, etc.) which use up the bandwidth which send and receive more or less useful side information containing, in the best cases, the exact model of your smartphone, or in the worst, personal information such as your phone number and other private data.

Pokémon Go is one of these bandwidth hungry applications. I downloaded it two weeks ago, and it is already close to being the most greedy application on my phone...

For mobile users, the consumption of bandwidth is a real issue. On average, 24% of an application's traffic is for third party tracking and advertising services. For some applications, the rate rockets to 98%.

While the percentage of side traffic for Pokémon Go hasn't been measured precisely, given the number of third party functionality it includes, I wouldn't be surprised if it isn’t well above 50% ;)

Here is a list of what version 0.31.0 contains:

• Crittercism - now called Apteligent - is a mobile application "performance management solution"
• Dagger is a "fast dependency injector"
• Android support libraries: those are common to nearly all Android applications
• Apache commons I/O
• Unity 3D: that's the game engine Pokémon Go heavily relies on
• Space Madness Lunar Console: this is a "lightweight Unity native iOS/Android logger"
• Google Ads
• Google GSON
• Jackson XML: this is the JSON library for Java
• JNI bridge
• Upsight: a mobile analytics and marketing platform
• Google billing
• Square Otto: an event bus
• Voxel Busters: with "cross platform native plugins"
• rx for Reactive programming

Along with such "not-so-essential" network traffic to third party servers also comes common leaks. While we expect Niantic Labs and Unity 3D (game engine) to access our geographic location (to locate Pokémon and pokestops), perhaps we shouldn’t expect apps like Crittercism, Google Ads, Jackson XML, or Upsight to retrieve our location?

The disassembled code also shows that Voxel Busters is building the full list of our phone's contacts (see figure below). They access the display name, phone number, phone and email of all contacts. The list is then compiled into a JSON object and sent to a function named UnitySendMessage, which is then exported by a Unity shared library (libunity.so) where it is dispatched to another function, and where I currently lose its track. Are contacts sent to remote servers? This is not confirmed yet, but is of some concern.

So, yes, you need to know that while you play Pokémon Go you send your geographic location, along with other details (e.g network operator name, phone brand, etc.), to several remote servers, and you "pay" for this side traffic through bandwidth consumption. Unfortunately, this is increasingly true for nearly any game found in application stores nowadays...

Risk #4 Spoofed Pokémon map or activity

The Pokémon Go application communicates with Niantic servers via HTTPS (see image below). Even better, in version 0.31.0, Niantic introduced certificate pinning to ensure that applications exchanged information with the real Pokémon servers and not with others

Initiating a TLS handshake with Pokémon Go servers

However, when certificate pinning is not active, an attacker can perform a MITM attack and thus completely modify the game for victims. For example, rastapasta managed to customize pokestops!

 Hacked pokestop by rastapasta

A malicious person can easily imagine other customizations, such as displaying an infected link in a pokestop, or directly injecting infected traffic. While such attacks are probably feasible, they are tricky, and the attack would only operate on the network where the Pokémon Go MITM proxy is setup.

Conclusion

• The Pokémon Go application is not malicious.
• It is no longer possible foe the application to fully access your email. It was a risk with an older version, but hasn't ever been demonstrated.
• There are currently versions of Pokémon Go in the wild repackaged with malware, and I expect more to come. Consequently, if you are not retrieving your applications from a safe application store I recommend you check its SHA256 hash against the official one, or scan the application with an anti-virus tool.
• Like most applications nowadays, Pokémon Go (or the third party apps it uses) exposes your privacy and implies unwanted network traffic.
• Niantic has obviously paid attention to securing access to its gaming servers. However, locally, MITM proxy attacks remain possible by skilled attackers.

Keep posted!

-- the Crypto Girl