Pokémon Go has taken one of the biggest cultural crazes of the late 90s and turned it into the most popular augmented reality game yet created. The game is free to download to an Android or iOS device, and uses the device's GPS location capabilities and clock to detect when and where the user is in the game. It then uses the device's camera to make Pokémon characters appear in the player's on-screen surroundings, ready to be 'caught'.
It’s undoubtedly a hugely clever concept, combining personalised interactivity with an existing, massively popular concept and character set. So it’s no surprise that Pokémon Go swept to the top of the app download charts within just five hours of being released, and was installed on 7.5m devices in a week – the equivalent of 5% of all Android devices in the US after just two days – making it more popular than dating app, Tinder.
However, in their mission to ‘catch ‘em all’, Pokémon Go users could be inadvertently exposing themselves to a range of security risks and cyber threats. And even if you have no knowledge of, or interest in the game, it could have a huge impact on your business’s information security posture. Here’s how.
Is it for real?
A very real threat with an app this popular is the legitimacy of the download. Pokémon Go has initially only been available in a limited set of countries, so enthusiasts have turned to unofficial app stores and download sites. This massively increases the chance of the game being infected with something damaging.
It took just four days for cyber-criminals to exploit this demand and assemble a repackaged download of Pokémon Go, complete with embedded malware. The malware, DroidJack, specifically targets Android users and once installed can access everything on the device including email, contacts, photos, videos and text messages. It can even give attackers remote control of the device’s camera or microphone, to enable remote recording. Clearly, if the phone also contains or even just occasionally accesses sensitive corporate information, then this is a huge problem.
When a download’s popularity exceeds its initial availability, some customers will turn to unofficial channels to obtain it – creating an opportunity for cyber-criminals to exploit that demand. It’s easy to imagine the same scenario applying to future games too.
Capturing your data
Nevertheless, Pokémon Go is being rolled out as quickly as possible, and you might think that so long as users (some of which may be your employees) are all downloading the official version, then there’s no problem. But that’s not the case – it still presents a security risk. So let’s take a closer look at how Pokémon Go works.
Once installed on a smartphone, the app accesses that phone’s GPS, clock and camera in order to use the search giant’s location data. Crucially, the app is closely linked to Google; players have to sign up with a Google.com account, and the developer of the game is owned by Google. As such, users are essentially giving the legitimate Pokémon Go app permission to see their Gmail, calendars, photos and more. It is an app that is designed, from scratch, to track its users’ whereabouts and behavior. While they are focused on catching Pokemon, the app is quietly capturing a range of potentially sensitive data from the device. Is that information that you are willing to share outside of your organisation?
But I’m not the one playing
Even if you have no desire to download and play Pokémon Go, the chances are that some of your staff – or perhaps one of their kids – will. In other words, in a company of any size, it’s almost certain that several devices in that company’s mobile estate – whether employee-owned or corporate-owned – will have the game downloaded onto it sooner or later. What’s more, the enormous popularity of Pokémon Go suggests that this will just be the first of many augmented-reality smartphone games, which will still rely on the same access to location data, images and other information from your device. It’s an issue that is only going to get bigger.
This means that now, more than ever, it is vital for businesses to develop and implement a mobile security strategy for all devices used in their organisation. Mobile device management (MDM) helps to enforce policies around app downloads and device usage, but is not a complete solution in itself, as some products cannot detect malware or other malicious activity. The best approach to stopping malware and related exploits is to deploy security on the devices that works with MDM, and is capable of detecting malicious apps or malware that try to embed themselves and steal data. The solution should be able to inspect and quarantine suspicious apps in the cloud, before they are downloaded on the device. This way, any threats can be neutralised before they are able to take hold.
There is also an important employee training and corporate policy element to consider. You may not have total control over what staff do with their phones, but you can certainly help them to recognise the potential dangers of downloading content from unofficial app stores or sites, and ensuring that phone data is regularly backed up.
The rush to ‘catch ‘em all’ shows no signs of slowing down yet – just make sure that in the process, your business doesn’t inadvertently catch something much nastier.