According to Sean Richmond, the Senior Technology Consultant at Sophos, businesses need to be aware of the risks associated with employees playing Pokémon Go at work, either on a work device or on a device that is plugged into a work system.
Fake Pokémon Go app
He explained that a “malware remix” of the app is already targeting users, tracking them, watching them and listening in on their calls.
“While Apple only lets you install apps from the official App Store, on Android, there’s an option to ‘Allow apps from untrusted sources’,” he said.
“This opens up your phone to software from anywhere, not just Google Play. So, millions of people all over the world are deliberately lowering their Android security settings to pirate Pokémon GO from unofficial download sites. Of course, the question everyone is probably asking is: is it safe to do this? Especially as millions of people have already pirated the app, apparently without anything bad happening, so surely the many millions who follow the crowd will be OK, too?
“This sort of “risk-taking herd mentality” is exactly what the cybercrooks can take advantage of. In fact, they already have been, with at least one hacked “malware remix” of the official Pokémon GO app doing the rounds. The “remix” is deliberately poisoned with an Android spyware/RATware/zombie toolkit that hides malware code inside a fully-functional and otherwise identical-looking version of the original app. And when we say identical, we mean it literally.”
Here are the startup screens of the original and of the malware-infected version:
The risk facing employers
So, what are the implications for Australian businesses?
“Unless employees use a secure network security system at home, you leave your phone exposed to potential malware infections,” Richmond said.
“As soon as this device enters the workplace, an employee puts the entire network at risk. Even worse, employees may potentially be using their professional credentials to access Pokémon Go. Imagine if employees are using their work email account to log into the game, this instantly opens up their device, their emails, their business’ network to malware. Malware is designed to steal your credentials without you knowing, Once the malware is on this device, what company documents or portal credentials are they able to access? It’s safe to say that this is not the type of information you want in the hands of cybercrooks.”
Richmond identified a few immediate actions that SMEs can take to ensure the Pokemon GO craze does not wreak havoc on their business network:
- Avoid apps with a poor or non-existent reputation.
- Stick to Google Play – it’s safer than unregulated Android markets where anything goes.
- Use an Android anti-virus for protection against malicious and low-reputation apps.
- Manage your business phones centrally, to ensure untrusted app sources are not allowed on phones used for work.
- Educate your employees on the potential threats as it only takes one employee to get infected with malware to cause chaos within the organisation.