Hackers use backdoored Pokémon Go to hack android mobiles

Pokémon Go is an amazing augmented reality game which made pokemon fans to walk out the street. The game uses advanced augmented reality technology in any android or ios. The game has only released on some countries. There is a reason, that’s how the game works. The developers came up with new amazing idea of playing pokemon in real life. The player have to walk out into the street and find the creatures in real locations. That’s how the augmented reality made the game awesome. Pokemon fans tend to move long distances even across the states to find their favorite characters.

How it is infected ?

Since this game is only available for certain countries, pokemon fans around the globe is so frustrated and searching third party stores other than play store. This is a nice chance for hackers. Skilled hackers have created honeypots and they are targeting android devices. Infected apk is being spread same as the speed of legit one. Never ever download games and apps from unknown sources unless you have clear idea on what you are doing.

Proofpoint security researchers had found infected version of the apk. The apk have embedded RAT (remote access tool) called DroidJack. These malicious codes can take full control over any infected android device. The infected device can be controlled by hacker remotely through transision control protocol mostly. He could install new apps, Record mic, make call, read message and call logs, take pictures and videos and if its rooted he can get possible shell access.

DroidJack is similar to metasploit android exploit. If you don’t know how to hack android using metasploit you can read my blog on How to hack an android phone – metasploit.  This infected application is configured to make reverse connection to the hacker. The payload connect through both TCP and UDP on port 1337 via Dynamic Domain Name System (DDNS). The payload points to no-ip.org DDNS service which allows the infected to connect back to the attacker even if the ip is changed. Attacker can register the new IP and resume the connection. Proofpoint team claims that the domain is resolved to an IP address in turkey.

How to protect yourself ?

If you have already downloaded from the unknown source uninstall it immediately and search for any any file change in the root directory or the app’s working directory. Reboot the phone and check whether there is any unknown tcp connection is established or not. You can find TCP viewer or similar application in playstore.

If you have the apk and not sure whether its infected or not, Compare the SHA checksum with the legit app.

LEGIT_APP: 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67

INFECTED_APP: 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4

The conclusion is that; never ever download and install application from unknown sources. Download only from play store, if its  not available in your country wait for the global release. I’m waiting too. I’m excited !!!

susmith HCK

susmith HCK

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you. If you like all these stuffs add me on Facebook and Google plus.

One thought on “Hackers use backdoored Pokémon Go to hack android mobiles

  • July 17, 2016 at 12:24 am
    Permalink

    Excellent post! We are linking to this particularly great article on our site.
    Keep up the good writing.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *