By now you’ve heard the chaos that accompanies Nintendo’s wildly popular augmented-reality game, Pokémon Go. You’ve heard about people who walk into immovable objects or off cliffs. You’ve heard about the Maryland driver so caught up in his game while behind the wheel that he slammed into a parked police car.
The game is so popular that the only things that are knocked it off the front pages are Donald Trump and the Republican National Convention. But what you probably haven’t heard is the full extent of the threats posed by random Pokémon gamers and those who want to exploit them.
To some extent, the rising threat levels are a result of the game not being available everywhere, the rapid adaptability of malware distributors and, most prominently, the remarkable degree of user cluelessness. But regardless of the cause, businesses now have to deal with the consequences. Unfortunately, those consequences can be significant.
In my previous column about Pokémon Go, I introduced you to a malware package named DroidJack, which basically lets the person controlling the malware control the Android phone it’s running on. The malware provides complete control of every aspect of the phone, including installing and running apps without the owner’s knowledge or permission. DroidJack, it seems, is a threat to the enterprise network as well as to individual mobile device user.
According to Kevin McNamee, director of the Nokia Threat Intelligence Lab, anyone can buy the DroidJack malware for $210 from the DroidJack public Website. The slickly produced site provides everything the aspiring malware distributor might want, including a detailed video tutorial on how to make it all work. It should be noted that the company selling the malware takes pains to refer to it as management software that will allow parents to track their children or companies to track their employees.
“You get a graphical user interface and a builder, which can build a native APK file, or you can bind DroidJack to an existing app,” McNamee explained. He said that this makes it possible to turn any Android app into a malware delivery system, but he noted that this works especially well with Pokémon Go because users aren’t necessarily thinking about security when they download and install it.
“This is the classic platform for an advanced persistent threat,” McNamee said. “They get a foothold and then scan around. They get into important computers, such as servers, and then exfiltrate information.”
Once an Android phone connects to the corporate WiFi, he said, it’s possible for it to scan the network for details about network resources and assets, names and users, and sometimes much more. That information can then be used for a subsequent phishing attack, which can then open the door for an assault on the company network.
Vast Influx of Pokémon Go Players Causes Security Threats to Proliferate
“If you bundle it with a network scanner, you can scan the corporate network,” McNamee said.
The vulnerabilities caused by employees running a game infected by DroidJack are bad enough, but now companies are becoming more vulnerable in their quest to use games such as Pokémon Go to build business. A number of businesses have discovered that they can attract Pokémon players by setting up what’s called a Lure to get the creatures created by the game to appear at their location.
The idea is that if you attract the players to your restaurant or store, some of them might buy things. However, according to Alvaro Hoyos, CISO of security and identity management company OneLogin, along with those gamers will come a number of people who are trying to take advantage of them.
We have already seen incidents where criminals use Pokémon Go to lure people to a particular site where they can be robbed at gunpoint. But it goes a lot further than that.
More sophisticated cyber-criminals may be trying to hack your company’s network or spreading the malware that will give them access. They will be targeting players and their WiFi or mobile carrier to see where it leads. “It might be connected to the corporate network,” he said. “They might find a vulnerability [in a retail point-of-sale system], or they might discover the network resources.”
According to Hoyos, before a company even considers allowing public access, including game playing, they first need to make sure that their network is hardened and, if possible, make sure that the public WiFi isn’t connected to the corporate network in any way. He also noted that with such public interest, your company needs to make sure all patches, including those for the point-of-sale system, are kept up-to-date.
Hoyos also noted that some problems can extend beyond just damage caused by malware. “If you get people who want to use the public WiFi, and if you get people who are susceptible and they get hacked, they may blame the business,” he said. Hoyos said that you need to set boundaries at the beginning, if only because of the brand impact that would come with such attacks.
As the popularity of games such as Pokémon Go expands to include your employees and customers, the need to protect your network becomes increasingly urgent. While you should have had good network security already, the need now is immediate.
The fact is that games such as Pokémon Go are going to become more popular over time. There are sure to be more insanely popular games like Pokémon. This means that the problems won’t go away and the challenges to your enterprise security are going to become greater.
While you can’t eliminate threats such as Pokémon Go, you can at least be prepared for them and the need for preparation has never been greater.