Pagoda Blog

Here at Pagoda Technologies, we are constantly trying to keep our customers updated on security risks and personal data breaches. More often than not, the leading cause of data security breaches is human error, but every once in awhile there is a serious bug somewhere in the system that leads to compromised data. This week, we bring you something that happens to address both issues: Pokemon GO.

Pokemon GO is an Augmented Reality (AR) game that allows players to track, capture, battle and level up Pokemon. There are various geolocated ‘Pokestops’ in the game where players can acquire various treasures to upgrade Pokemon and level up in the game. The game was released by Niantic, a Google backed company whose past success include the game Ingress, another AR game with similar geolocated stopping points.

In the game players can also lay out lures, which attract more virtual Pokemon to that area. Consequently, it also attracts more real world people to one particular location. We mentioned human error at the beginning of this post and this is where it comes into play. According to a police report, four individuals were placing lures in remote areas and then mugged by people who stole their phones.

The bug in the machine (or is it?) is a Google permissions problem. When setting up your Pokemon GO account and creating your avatar, the app requests “full access” to your Google Account. After Niantic was alerted to this bug they went on the record to say that the wording “full access” is a bit misleading. According to Google, what it really does is collect your user ID and email address. However, this has a lot of people a bit spooked and some are even recommending you create a burner Google account to play the game.

Image from business2community.com

The third, and most worrying, potential security breach is the Trojanized Pokemon Go apps that malicious persons are creating. In just 72 hours after the app was released, a few cyber criminals has Trojanized a legitimate version of the free Android app to include malware and released in via unofficial, third-party app stores. We never recommend downloading anything from a third party location, this can open you up to security breaches in a very risky way. The malicious Trojanized app includes the remote access tool DroidJack (also known as SandroRAT) which can give an attacker full remote control over the victim’s phone. It doesn’t stop there however, if a phone is compromised with the malware, the network it is a part of could also become compromised. If you have anyone playing Pokemon GO at your corporate offices, reach out to them and make sure they have downloaded it from a reliable source.

As always, double check where you are downloading your apps and data from and educate your employees on good data security practices.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

About Pagoda Technologies IT services

Pagoda Technologies is a globally recognized IT support company doing business in Santa Cruz, San Jose and all over the world and who is working to help businesses and their IT departments run smoothly and efficiently. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a no cost business assessment.