Hackers use backdoored Pokémon Go to hack android mobiles
Pokémon Go is an amazing augmented reality game which made pokemon fans to walk out the street. The game uses advanced augmented reality technology in any android or ios. The game has only released on some countries. There is a reason, that’s how the game works. The developers came up with new amazing idea of playing pokemon in real life. The player have to walk out into the street and find the creatures in real locations. That’s how the augmented reality made the game awesome. Pokemon fans tend to move long distances even across the states to find their favorite characters.
How it is infected ?
Since this game is only available for certain countries, pokemon fans around the globe is so frustrated and searching third party stores other than play store. This is a nice chance for hackers. Skilled hackers have created honeypots and they are targeting android devices. Infected apk is being spread same as the speed of legit one. Never ever download games and apps from unknown sources unless you have clear idea on what you are doing.
Proofpoint security researchers had found infected version of the apk. The apk have embedded RAT (remote access tool) called DroidJack. These malicious codes can take full control over any infected android device. The infected device can be controlled by hacker remotely through transision control protocol mostly. He could install new apps, Record mic, make call, read message and call logs, take pictures and videos and if its rooted he can get possible shell access.
DroidJack is similar to metasploit android exploit. If you don’t know how to hack android using metasploit you can read my blog on How to hack an android phone – metasploit. This infected application is configured to make reverse connection to the hacker. The payload connect through both TCP and UDP on port 1337 via Dynamic Domain Name System (DDNS). The payload points to no-ip.org DDNS service which allows the infected to connect back to the attacker even if the ip is changed. Attacker can register the new IP and resume the connection. Proofpoint team claims that the domain is resolved to an IP address in turkey.
How to protect yourself ?
If you have already downloaded from the unknown source uninstall it immediately and search for any any file change in the root directory or the app’s working directory. Reboot the phone and check whether there is any unknown tcp connection is established or not. You can find TCP viewer or similar application in playstore.
If you have the apk and not sure whether its infected or not, Compare the SHA checksum with the legit app.
The conclusion is that; never ever download and install application from unknown sources. Download only from play store, if its not available in your country wait for the global release. I’m waiting too. I’m excited !!!