- Mike McCormick
Is Pokemon Go Malware?
Malware is like pornography; it’s hard to define, but we know it when we see it. At least we think we do. The Pokemon Go craze provides an opportunity to revisit this tricky subject.
One or more of these attributes are commonly associated with malware:
Installs without user knowledge or consent
Runs hidden from the user or disguised as something else
Behaves in ways different from what the user expects
Collects personal information about the user without permission
Collects credentials, files, or system data it doesn't need
Damages the device or file system
Modifies, deletes, or encrypts preexisting files
Moves to other users or devices without user knowledge or consent
Displays advertising without user consent
Has unexpected or harmful effects in the physical world
We can grade programs on a 0 to 10 scale by counting applicable attributes. A low nonzero score, say 1 or 2, might indicate undesirable “grayware” that's not outright malicious. Higher scores indicate malware, with 10 being the most malicious (e.g., Stuxnet).
Certain social network apps qualify as grayware (score of 2) as do some popular games. The world’s most popular game at the moment is Pokemon Go. Is it malware? Consider three attributes:
3. Unexpected behavior: With Pokemon Go, what you expect is mostly what you get. But it does include features that might surprise users, such as the ability for business to buy Pokestops to attract customers to their stores. It also performs location tracking in ways that may be monetized in future.
Verdict: Pokemon Go has some hidden features but they’re generally benign so far.
5. Collects credentials and files: The iPhone/iPad version of Pokemon Go initially gained access to your Google password, Google Drive files, and Gmail emails if you logged in with a Google ID. Apparently this was an unintentional bug that seems to be fixed in the latest version.
Verdict: Pokemon Go had this troubling behavior at one time, but as far as we can tell it’s been removed.
10. Physical crossover: Pokemon Go is having surprising impacts on the physical world, some unpleasant or even dangerous. A friend of mine lives near a city park that’s now overrun by Pokemon Go players because it was designated a “gym”. The park has no parking area, it’s too small to hold the extra people, and a once quiet residential street now has much more traffic. Driving while Pokemoning (DWP) is against the law as some states are aggressively reminding drivers (see photo). More dangerously, armed robbers are creating Pokestops to lure victims to secluded places.
Verdict: Pokemon Go affects the physical world in serious ways but they are generally more due to user carelessness than the software itself.
For now Pokemon Go scores zero on the malware scale. If there was a guilty verdict on just one of the above attributes, it might be grayware. All three would arguably make it malware. But since none of the verdicts are clear, Pokemon Go remains innocent till proven guilty.
Pokemon Go does carry risks that players should be aware of. The CIA issued unclassified guidelines for military and intelligence personnel playing the game, most of which make good sense for civilians too. The Red Cross and various police departments have also issued safety tips for Pokemon hunters.
Malware has many faces, and not all are monsters.
Michael McCormick is in information security consultant, researcher, and founder of Taproot Security.