People want to play Pokemon Go so much that they are putting their digital lives at risk to do it.
The augmented reality game has only been released in the US, Australia and New Zealand so far. That means that international users have to go through roundabout ways to get it – which often means “sideloading” it, or installing it outside of the official app store.
The problem is that doing so can lead Android phones to pick up malicious software that spies on their phone and gets access to it. Such evil versions of Pokemon Go are already circulating as people rush to play the game.
Many outlets have recommended sideloading as a way of getting hold of the game in the UK, Canada, Europe and other locations where it is still yet to be released. But it puts the phone at huge risk – app stores exist partly to check the files that are being sent to people’s phones and ensure they pose no security risk, and the third-party files that can be downloaded often include bad code that would otherwise be deleted.
People who have their phone infected wouldn’t usually be able to tell, since the app is almost identical to the legitimate one but has the malicious software added on top. But there are ways of checking whether the app is an infected one.
Sideloading works by downloading an APK for the game – the package of files that is usually accessed through an official app store. Those usually come from a third party and many of them appear to be compromised, adding viruses and other software to the files.
It’s only possible to sideload apps on Android, since the iPhone is locked to use only apps downloaded from the App Store, unless it is jailbroken.
Researchers from cybersecurity firm Proofpoint have found modified versions of the Pokemon Go APK that include remote access trojans that give attackers full control over a victim’s phone.
The firm said that they had not yet seen the APK in the wild, but that represents “an important proof of concept”.
“Bottom line, just because you can get the latest software on your device does not mean that you should,” the team wrote. “Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.”
Users can check whether their phone has been infected by going to Settings and finding the Pokemon Go app. There, look for the “permissions” section and see what the app can do with your phone – if there are suspect permissions like “read your text messages” or “record audio”, then the app is likely infected and should be removed.
Pokemon Go’s developers haven’t said when the game will be released beyond the three current countries, but that the huge amounts of players that are already on it have led them to “pause” the rollout.