by RSS Roland Dela Paz  |  Aug 24, 2016  |  Filed in: Security Research

Pokémon Go’s rapid rise in popularity has attracted cybercriminals to leverage its hype for their malicious intents. So far, we have seen backdoored Pokémon Go apps, lockscreen apps, scareware apps, SMS spam, as well as Windows ransomware.

This time we have seen a new attack that takes aim at Pokémon Go users themselves, in the form of a fake Windows-based Pokémon Go Bot. A Pokémon Go Bot is an application that works as a fake Pokémon trainer in order to level up a user’s account without putting in any effort. As such, many Pokémon Go players use Pokémon Go Bots in order to gain an advantage in the game.

The fake Pokémon Go Bot arrives as a package that appears to target Portuguese-speaking users:

The package contains a file named “PokemonGo.RocketAPI.Console.exe” (detected as MSIL/PokBot.A!tr.pws) that displays the following user interface:

As can be seen above, this interface asks for the user’s Pokémon Trainer Club (PTC) credentials, or the Google email credentials used in the Pokémon Go account. It lures the user into thinking that logging in with their credentials will allow the Bot to automatically enhance their accounts.

To make it look realistic, the “… Site” button in the interface opens a GitHub repository site of a legitimate but unrelated Pokémon Go Bot on the browser.

The “Version ..” button, on the other hand, only displays the following prompt:

Ultimately, the code of this application has nothing to do with Pokémon Go. Instead, it simply forwards the keyed Pokémon Go credentials to a predefined email address when the user clicks the “~ Login ~” button:

An example of an email issued by the malware is as follows:

“Contas Roubadas” are Portugese words that mean “Stolen Accounts”, while “Senha” translates to “Password.”

Based on the logs present in the email account, some users have already taken the bait and keyed in their credentials to this bogus application.

Conclusion

With so many people getting hooked into Pokémon Go, it is not hard to imagine that some players may be willing to purchase Pokémon Go accounts that have an already levelled-up profile. Therefore, it makes sense for cybercriminals to target Pokémon Go users who opt to use bots, as there is a high likelihood that their profiles are levelled-up and are therefore profitable. Fortunately, Niantic now permanently bans user accounts that it identified to be using bots.

It is also worth noting that since the vast majority of players use their Gmail accounts to register a Pokémon Go account, it seems reasonable to assume that other attacks may stem from these accounts being compromised by MSIL/PokBot.A!tr.pws, such as identity theft.

We anticipate that more attacks leveraging Pokémon Go will surface in the future. We advise users to be vigilant when downloading software related to Pokémon Go, especially from unknown sources.

 

-= FortiGuard Lion Team =-

SHA-256 hash of MSIL/PokBot.A!tr.pws:

bba37ebb57750caf1b5375de9c1daba09a3e852e058ff57207daf3bb7f14be97

You can read other analyses of the Pokemon Go application and related threats here:

Risk - or not - not Behind Pokemon Go

Pokemon Go Plus Preview (Through Reverse Engineering)

by RSS Roland Dela Paz  |  Aug 24, 2016  |  Filed in: Security Research