• Mike McCormick

Is Pokemon Go Malware?


Malware is like pornography; it’s hard to define, but we know it when we see it. At least we think we do. The Pokemon Go craze provides an opportunity to revisit this tricky subject.

One or more of these attributes are commonly associated with malware:

  1. Installs without user knowledge or consent

  2. Runs hidden from the user or disguised as something else

  3. Behaves in ways different from what the user expects

  4. Collects personal information about the user without permission

  5. Collects credentials, files, or system data it doesn't need

  6. Damages the device or file system

  7. Modifies, deletes, or encrypts preexisting files

  8. Moves to other users or devices without user knowledge or consent

  9. Displays advertising without user consent

  10. Has unexpected or harmful effects in the physical world

We can grade programs on a 0 to 10 scale by counting applicable attributes. A low nonzero score, say 1 or 2, might indicate undesirable “grayware” that's not outright malicious. Higher scores indicate malware, with 10 being the most malicious (e.g., Stuxnet).

Certain social network apps qualify as grayware (score of 2) as do some popular games. The world’s most popular game at the moment is Pokemon Go. Is it malware? Consider three attributes:

3. Unexpected behavior: With Pokemon Go, what you expect is mostly what you get. But it does include features that might surprise users, such as the ability for business to buy Pokestops to attract customers to their stores. It also performs location tracking in ways that may be monetized in future.

Verdict: Pokemon Go has some hidden features but they’re generally benign so far.

5. Collects credentials and files: The iPhone/iPad version of Pokemon Go initially gained access to your Google password, Google Drive files, and Gmail emails if you logged in with a Google ID. Apparently this was an unintentional bug that seems to be fixed in the latest version.

Verdict: Pokemon Go had this troubling behavior at one time, but as far as we can tell it’s been removed.

10. Physical crossover: Pokemon Go is having surprising impacts on the physical world, some unpleasant or even dangerous. A friend of mine lives near a city park that’s now overrun by Pokemon Go players because it was designated a “gym”. The park has no parking area, it’s too small to hold the extra people, and a once quiet residential street now has much more traffic. Driving while Pokemoning (DWP) is against the law as some states are aggressively reminding drivers (see photo). More dangerously, armed robbers are creating Pokestops to lure victims to secluded places.

Verdict: Pokemon Go affects the physical world in serious ways but they are generally more due to user carelessness than the software itself.

For now Pokemon Go scores zero on the malware scale. If there was a guilty verdict on just one of the above attributes, it might be grayware. All three would arguably make it malware. But since none of the verdicts are clear, Pokemon Go remains innocent till proven guilty.

Pokemon Go does carry risks that players should be aware of. The CIA issued unclassified guidelines for military and intelligence personnel playing the game, most of which make good sense for civilians too. The Red Cross and various police departments have also issued safety tips for Pokemon hunters.

Malware has many faces, and not all are monsters.

Michael McCormick is in information security consultant, researcher, and founder of Taproot Security.

#pokemongo #malware

© 2020 Taproot Security

This site uses cookies for security.

Our cookies do not store personal information.