pixel_dreams - Fotolia
Google parent company Alphabet has boasted that it is notifying customers of the 4,000 state-sponsored cyber attacks a month as Pokémon Go gets unfettered access to Google accounts.
Diane Green, senior vice-president of Google and Alphabet board member, made the security claim at a tech conference in Aspen, Colorado, reports Reuters.
Google – similar to Microsoft, Yahoo and others – has taken several steps aimed at winning back users’ trust, including introducing encryption and publishing reports on government data requests twice a year.
But Green’s efforts to highlight Google security have coincided with the discovery that the augmented reality game app Pokémon Go could access user’s Google accounts, posing a potential risk to corporate networks and systems where employees use personal devices at work.
Software architect Adam Reeve discovered the game app, developed by Google spinoff Niantic, assumes “full access” to the Google accounts of anyone who signed up to play the game on Apple devices using their Google account.
This means that without asking permission Pokémon Go and Niantic could read users’ email, use email accounts to send messages, access and delete Google drive documents, look at search history, access Google Photos and a whole lot more, he wrote in a blog post.
Reeve said developers specify what level of access they want when they set up the “Sign in with Google” functionality.
“Best practices – and simple logic – dictate you ask for the minimum you need, which is usually just simple contact information,” he said.
But Reeve said the “huge security risk” was probably just the result of “epic carelessness”. He confirmed in a later blog post that Nantic and Google were taking steps to fix the problem.
However, security researchers have highlighted other privacy and security risks associated with Pokémon Go because of its extensive permissions to take pictures and video, access location data, find and use accounts on the device, view network connections and access Bluetooth connections.
Malware in unofficial Pokémon Go apps
Researchers at security firm Proofpoint have also warned against downloading the game from unofficial sources after spotting a malicious Android version that was uploaded to a file repository shortly after the game’s official release.
The researchers said the malicious version of the game contains a remote access tool called DroidJack, which could give attackers full control of the user’s mobile phone.
Official versions of the game were released initially only in the US, Australia and New Zealand, leading fans outside those countries to look for alternative third-party download sites. However, these sites typically provide Android application package (APK) files, which can be modified to include malware.
The Proofpoint researchers said they have not seen the malicioius versions of the Pokemon Go APK in the wild, but that the samples they had seen represented an “important proof of concept”. It also poses a security risk not only to users, but to businesses where employees use personal devices to access corporate networks.
Kevin Epstein, vice-president, Threat Operations Centre at Proofpoint, said DroidJack gives attackers complete access to mobile devices.
“This includes text messaging, GPS data, phone calls, camera – and any business network resources that users access,” he said.
Read more about mobile malware
- Security researchers say fast-spreading Hummer Android malware could be netting cyber criminals around $500,000 a day for installing porn and other apps on mobile phones.
- Motion and gestures are being used for mobile malware detection on smartphones.
- How can enterprises enable mobility while insulating corporate networks from mobile malware?
- Research of 350,000 banking-related apps reveals around 11% contain malware or suspicious binaries.
This makes both the practice downloading apps from unofficial app stores and the presence of apps such as the malicious version of Pokémon Go especially concerning, said Epstein.
“Installing apps from third-party sources, instead of officially vetted and sanctioned corporate app stores, is never recommended,” he said.
The malicious version of Pokémon Go observed by the researchers demonstrates how cyber criminals can take advantage of popular apps to trick users into installing malware on their devices.
“App users should be extremely wary of downloading apps from app stores other than the Apple App Store and Google Play. Many other app stores do not have security controls to prevent malicious attackers from posting versions of apps that have been tampered with,” said Epstein.