Pokémon GO is a virtual world game app which is exploding in popularity around the world, but businesses need to make employees aware of potential security issues and need to manage its activation on work devices. Paul Ducklin explains…
Have you heard of Pokémon GO? If you haven’t, you probably will soon: it’s an online game for mobile phones, and it’s taken the world by storm. It works something like this:
You install the app, give it access to your location and your camera (amongst numerous other permissions), and set about finding Pokémon creatures in the game. Unlike most ‘virtual world’ games, however, the map used in Pokémon GO is the world around you, and the creatures you’re supposed to find are added to the map. To collect them, you actually have to go to where the virtual creatures are supposed to be. When the game figures your geolocation data is close enough to the target location, you turn on your phone’s camera, and, hey, look at that! There’s the creature, grafted into the live image, in what’s called ‘augmented reality’.
Once you’ve caught the three starter Pokémons, you need to venture around your neighbourhood to find PokéStops. PokéStops are supposed to be near important landmarks such as statues and monuments, where you can get hold of the ammo, sorry, Poké Balls, you need to catch more characters. Once you’ve got the balls, you can wander afield looking for Pokémons to shoot, ahem, capture, ahhh, train.
Obviously, walking around an urban landscape while watching your mobile phone screen is both dangerous and anti-social, as the app warns you each time you start it up, but there’s no mistaking the runaway popularity of Pokémon GO.
Apparently, the success of the app has also been a problem: overloaded servers, delays in signing up, and more. For that reason, it’s currently only available in the Apple App Store and on Google Play in a handful of countries; but availability is increasing. This lack of availability is pushing users to alternative markets to grab the software unofficially, always a risky thing to do. In fact, cyber-criminals are already targeting Pokémon GO, with at least one hacked ‘malware remix’ of the official Pokémon GO app doing the rounds. The ‘remix' is deliberately poisoned with an Android spyware/RATware/zombie toolkit that hides malware code inside a fully-functional and otherwise identical-looking version of the original app.
What should businesses do?
The problem for businesses is where devices running potentially dangerous versions of Pokémon GO have access to business information and networks. Organizations can take the following actions:
1) Inform and educate Android using employees to:
- Avoid apps with a poor or non-existent reputation. Don’t trust an app about which no one yet seems to know anything;
- Stick to Google Play when obtaining apps. Despite recent failures, it’s still safer than unregulated Android markets where anything goes;
- Use an Android anti-virus product.
2) Manage your business phones centrally. Various control systems are available which allow you to take control of options such as whether to allow untrusted app sources on phones used for work purposes.