People are resorting to downloading the game from third party sources because the app is not yet officially available worldwide.
The augmented reality game was first released in Australia and New Zealand on July 4th, with the US version being made available to customers a couple of days later.
However, Nintendo have paused rolling the game out to the rest of world because they're worried that they will overload their servers.
Within 24 hours of its launch, the company's servers had crashed due to its enormous popularity.
Online security company Proofpoint have found infected knockoff copies of the newly released mobile game.
The infected version of the mobile game installs a remote access tool (RAT) called DroidJack to your phone.
From here attackers can seize control of your device and harvest personal information by tracking your movements.
Malicious activity could include stealing your passwords, credit card numbers, silently installing further viruses and recording video, all without your knowledge.
Versions of the infected game have not yet been found on app services in the wild. Yet the cybersecurity firm warned that: "should an individual download an APK from a third party that has been infected with a backdoor, such as the one we discovered, their device would then be compromised."
That has led some users to seek out “unofficial” versions of the Pokémon Go application online, where it has been uploaded for distribution on various sites as an APK file – the file format used by Android applications. Unlike iOS, Android allows users to toggle off a setting that prevents installation of apps from outside the official app store.
This, however, can be a dangerous practice.
In the case of the infected APK version of Pokémon Go that the security researchers discovered, there’s no way for players to tell if they had installed malware without digging into the app’s permissions and then comparing them to the official app’s permissions. (A second method involves comparing the SHA256 hash of the APK to the official version, but we wouldn’t call this a consumer-friendly method. More information on that is here.)
In fact, the compromised application has the same startup screen as the legitimate version, the researchers pointed out.
Though the app does include a remote access tool that would allow attackers to take control of the victim’s phone, the server that would listen for connections from infected devices then give them commands (or the “C&C server” – aka the “command and control” server), which was based in Turkey, was not accepting connections from infected devices, the researchers found.
That being said, the fact that malware authors are already toying around with fake Pokémon Go apps should be a word of warning to anyone thinking of seeking out the game through unofficial means. This is not likely to be the last time we see Pokémon Go malware, if the game remains as popular as it is today.
"Cybercriminals can take advantage of the popularity of applications like Pokémon GO to trick users into installing malware on their devices."
To protect yourself from possible infections, your best bet is to only download the game from the official app store, and not a third-party site.
