The popularity of Pokémon GO is apparently on the wane, but there are still more than enough players to make it a good lure for cyber crooks.
In fact, fake apps like the “Guide For Pokémon Go New” recently spotted on Google Play can end up being downloaded by as many as half a million users.
At least 6,000 users ended up installing and running it, Kaspersky Lab researcher Roman Unuchek notes, and additional victims are more than likely.
The Trojan inside
Unfortunately for them, the app is not only a Pokémon GO guide, but also packs a Trojan that will download root exploit packs for vulnerabilities dating from 2012 to 2015.
It will use them to gain root access rights to the infected device, and will then continue to install additional modules, unwanted apps, adware, and so on.
Interestingly enough, the fake app got many positive reviews on Google Play, and the 3.8 average vote probably fooled many.
One of the likely reasons behind this is the fact that the Trojan does not go to work immediately after the fake app is launched. It waits for another app to be downloaded and run, so that it can make sure that the device on which it finds itself is not a virtual machine.
If it’s not, it will wait an additional two hours before springing into action and sending information about the device to its C&C server. The server will get back to it with an ID string, then a file containing a URL from which it will download the encrypted exploit packs.
All those delays make it so that when users start seeing unwanted apps and ads on their device don’t immediately connect the actions to the bogus Pokémon GO app they have installed hours or days before.
This particular app has been removed from Google Play, but the Trojan, detected as HEUR:Trojan.AndroidOS.Ztorg.ad by Kaspersky Lab, has previously been found in at least nine other apps on Google Play since December 2015. None of those turned out to be so popular with users, but you can count on the Trojan cropping up again in the app store.