Can We Stop the Pokemon GO Cyber Risks?

Games are supposed to be fun, but the privacy and security concerns surrounding Pokémon GO, the massively popular augmented-reality game, are anything but. With more than 100 million downloads in less than a month, Pokémon GO has taken the term “viral” to new levels. Also threatening to go viral are the cyber risks the game poses to sensitive business information.

In July 2016, gamers who downloaded Pokémon GO were told that the app had been given “full access” to their Google accounts. While this turned out to be a bit of a false alarm—in reality, the game only accesses basic profile data, according to The Guardian—more real and more serious security concerns abound.

In mid-July, for example, Pokémon GO was offline for a brief time. The outage may have been due to overwhelming server traffic. However, a hacking collective called OurMine claimed responsibility, telling PC Magazine in an e-mail that it would “stop the attack if any [Niantic] staff talked with us, because we will teach them how to protect their servers.” These distributed denial-of-service (DDOS) attacks helped make Pokémon GO the week’s top trending cybercrime target, as reported on the SurfWatch Cyber Risk Roundup for July 21, 2016.

Beware the Perils of Third-Party Downloads

Eager gamers who don’t want to wait for official releases turn elsewhere to get their hands on the latest and greatest—and do so at great risk. Researchers at Proofpoint discovered an infected Android version of Pokémon GO. This version had been modified to include a malicious remote access tool that would give an attacker complete control over a user’s phone. “Even though this [malware] has not been observed in the wild,” Proofpoint noted, “it [proves] that cybercriminals can take advantage of the popularity of applications like Pokémon GO to trick users into installing malware on their devices.”

Malware is a top concern for organizations. The Dell Security Annual Threat Report found that malware attacks nearly doubled to 8.19 billion in 2015. The Android ecosystem was the prime target, putting a large percent of smartphones at risk globally. And the Sixth Annual Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute, revealed that mistakes, such as unintentional employee actions, were cited as the root cause of half of data breaches. Employees who download software from untrusted sources could fall into that category.

More recently, an independent researcher uncovered a piece of ransomware masquerading as a Windows-based Pokémon GO application that targets Arabic-speaking users, according to SC Magazine. In addition to locking up data files, it leaves behind a Pikachu-themed ransom note. Even worse, the malware, reportedly still in development, adds a backdoor Windows account, spreading itself to other drives and creating a network share.

Mark James, a security specialist at Eset, told Infosecurity Magazine that this backdoor could let a hacker later connect to a victim’s computer to launch other attacks. “[This ransomware] is currently targeted at Arabic victims but could easily be adapted for global use and we could see it modified and spread in other countries,” he added.

Pokemon GO and BYOD: Bring Your Own Disaster

The dangerous practice of downloading software such as Pokémon GO from third-party sources is making BYOD an even greater issue for organizations that handle sensitive information.

The International Association of IT Asset Managers (IAITAM) called for a ban on the download and use of Pokémon GO on devices that access sensitive business data. “The truth is that Pokémon Go is a nightmare for companies that want to keep their email and cloud-based information secure,” IAITAM CEO Dr. Barbara Rembiesa, said in a press release. “There are just too many questions and too many risks involved for responsible corporations to allow the game to be used on corporate-owned or BYOD devices.”

Will Pokemon GO, The Next Generation Be More Secure?

Pokémon GO, Gen 2 is on the horizon, releasing possibly early next year, according to GameNGuide, and the Internet is rife with rumors as to what gamers can expect in the new iteration. What seems to be less popular is a discussion on how gamers can be wise about the use of Pokémon GO in the business world.

Education is key here. Employee awareness programs need to promote basic security hygiene reinforced with ongoing information about new threats like Pokémon GO and the consequences of poor security practices. As IAITAM put it, “Rather than simply banning Pokémon GO, corporations should also use this as a learning opportunity to encourage maximum employee understanding of the rationale against rogue downloads, particularly the security risks they represent.”

The bottom line? Catch all the Pokémon you want, but be careful not to catch a piece of malware in the process—malware that could put confidential business data at risk for data breach and other real-life disasters.