Malicious Pokémon Go App Installs Backdoor on Android Devices

Researchers are warning would-be Pokémon Trainers that a malicious, backdoored version of the massively popular game Pokémon Go could be making the rounds soon.

Researchers are warning would-be Pokémon Trainers that a malicious, backdoored version of the massively popular game Pokémon Go could be making the rounds soon.

An APK (Android application package file) of the game has been rigged with a remote access tool (RAT) called Droidjack that if installed, could essentially give an attacker complete access to a victim’s phone.

Pokémon Go, an augmented reality game based around the 20-year-old media franchise, hasn’t even been out in the U.S. for a week yet but has already been so popular that its servers have been repeatedly bogged down. Perhaps more surprisingly, the game has apparently already added nearly 11 billion dollars to the value of Nintendo, the app’s owner, since being released.

Researchers with the firm Proofpoint caution that while the APK hasn’t been spotted in the wild yet, it has been seen on a malicious file repository service, meaning it could only be a matter of time until its spread online.

Citing server strain, Niantic, Inc., the software company that created the game with Nintendo, has paused the game’s worldwide rollout. Currently the game is only available in the United States, Australia, and New Zealand, meaning users in other countries may be tempted to sideload APKs of the game from illegitimate channels.

In order to do so however, Android users have to adjust their device’s settings to be able to install third party APK files from untrusted sources – something that’s almost universally regarded as a risky practice.

Proofpoint claims the backdoored Pokémon Go app communicates with a command and control domain hosted on a dynamic IP address in Turkey. Dynamic IP space can commonly be used for botnets, spamming, and other suspicious activity. In this case, the domain is hosted on, a site cybercriminals have used in the past to obscure malware operations.

Users would have to go into the app’s “Permissions” settings in order to verify whether or not a sideloaded version of the game is infected, researchers warn. The malicious APK asks to be able to view Wi-Fi connections, to connect and disconnect from Wi-Fi, change network connectivity, and to retrieve information on running apps. The infected game’s startup screen is identical to the real game, otherwise.

Again, while the malicious APK isn’t in the wild yet, researchers with the firm have acknowledged that given the sheer popularity of the game, it’s a scary proof of concept.

“Even though this APK has not been observed in the wild, it represents an important proof of concept: namely, that cybercriminals can take advantage of the popularity of applications like Pokemon GO to trick users into installing malware on their devices,” Proofpoint’s blog reads.

Image via Randy Miramontez /

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.


  • Jamie64326 on

    Can you please correct the article? Pokemon is a 20 year-old franchise, not 30. The franchise came out in 1996 and is currently celebrating it's 20th anniversary.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.