OREANDA-NEWS. September 15, 2016. Kaspersky Lab experts have discovered a new malicious application on the Google Play store titled “Guide for Pokemon Go” which has been downloaded more than 500,000 times, with at least 6,000 successful infections. This application is capable of seizing root access rights on Android smartphones and utilizing those to install or uninstall apps and display unsolicited ads. Kaspersky Lab has reported the Trojan to Google and the app has been removed from the Google Play Store.

The global phenomenon of Pokemon Go has resulted in a growing number of related apps and, inevitably, increased interest from the cybercriminal community. The “Guide for Pokemon Go” root Trojan includes some interesting features that help it to bypass detection. It doesn’t start as soon as the victim launches the app. Instead, it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual machine.

If it’s dealing with a device, the Trojan will then wait another two hours before starting its malicious activity. Even then, infection is not guaranteed. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the Trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.

This approach means that the control server can stop the attack from proceeding if it wants to - skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. This provides an additional layer of protection for the malware.

Once rooting rights have been enabled, the Trojan will install its modules into the device’s system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user.

Kaspersky Lab analysis shows that at least one other version of the malicious Pokemon Guide app was available through Google Play in July 2016. Further, researchers have tracked back at least nine other apps infected with the same Trojan and available on Google Play Store at different times since December 2015.

Our data suggests that there have been just over 6,000 successful infections to date, including in Russia, India and Indonesia. However, since the app is oriented towards English-speaking users, people in such geographies, and more, are also likely to have been hit.

“In the online world, wherever the consumers go, the cybercriminals will be quick to follow,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab. “Pokemon Go is no exception. Victims of this Trojan may, at least at first, not even notice the increase in annoying and disruptive advertising, but the long term implications of infection could be far more sinister. If you’ve been hit, then someone else is inside your phone and has control over the OS and everything you do and store on it. Even though the app has now been removed from the store, there’s up to half a million people out there vulnerable to infection – and we hope this announcement will alert them to the need to take action.”

People concerned that they may encounter the Trojan should install a reliable security solution on their device. If they are already infected, the best way to remove the rooting malware is to backup all data and reset the device to factory settings. In addition, Kaspersky Lab advises users to always check that apps have been created by a reputable developer, to keep their OS and application software up-to-date, and not to download anything that looks at all suspicious or whose source cannot be verified.

To learn more about the Pokemon Go Guide rooting Trojan, read the blog on Securelist.com. All Kaspersky Lab products detect the Trojan as HEUR:Trojan.AndroidOS.Ztorg.ad.