Unless you happen to be living under a rock, there’s no doubt that you have heard about the Pokemon Go app that has so many users running around trying to catch ’em all.
If you happen to be one of these users, I have some potentially bad news for you. If you are an iOS user, Niantic – creater of Pokemon Go, may now complete access to your Google account. If you are an android user and you opted to side load the app, you are more than likely infected with malware on top of giving up the access to your Google account.
How did this happen?!
When you fist open the app, you are given the option to either sign in with your Pokemon Trainer Club account or your Google account. Due to the large volume of activity the the Pokemon Trainer Club servers have been down so the majority of users simply signed in with a Google account.
Unlike most apps that request access to your Google account, this one does not ask you which permissions should be granted and it is automatically given full access to your account. If that doesn’t cause you to panic, here is the list of what they have access to:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more depending on which Google apps you use
Now, it is possible to revoke their access if you signed in this way and here is how to do it:
- Go to this page and sign in to the account used on the Pokemon Go app.
- Click on “Pokemon Go Release” on the list (it should be near the top, where all Full Access apps are listed).
- Click Remove, then OK
For those that are still logged in to the app, it seems that you can continue using the app without any problems. I am not certain what will happen after the login “times out” and you have to log in again. If you re-login with your Google account, you will have to revoke access again. The preferred method would be to sign up for a Pokemon Trainer account as long as they are up and running and using those credentials.
Now if you are an android user and you installed the app through Android APKs, maybe because the app wasn’t available in your area, then you more than likely have a counterfeit version of the app that installs the Droidjack backdoor malware along with the Pokemon Go app. This backdoor gives the owners of the malware distribution complete access to your android device.
The DroidJack’ed Pokémon GO app requests for permissions to directly call phone numbers, receive, send, and modify SMS and MMS messages, as well as modify your contacts list. So if you happen to read all the messages and see this request then you can stop the installation there and will need to remove any files. If you already installed the app through the APKs then you can look within the app’s file system, fake starter classes can be found, like “net.droidjack.server,” which is responsible for connecting to the malware’s Command and Control (C&C) server to relay the information.
So, if you happen to be a Pokemon enthusiast and want to use this app, I recommend that you only install it from your devices respective “store” and wait to create an account with Pokemon Trainer to use to login in. Also, if you have logged in with your Google account info, then it is a good idea to change your password… At this time I do not believe that Niantic is collecting this information on purpose but it’s only a matter of time before someone else can find a way to gain access to it from them.