A malicious version of the popular game is seeking to take over Android handsets
Separately, police in the US have said that the game has been used to carry out armed robberies, while there have been a number of reports of people injuring themselves while playing.
Pokémon Go has attracted huge numbers of downloads in New Zealand, Australia and the US, where it was released last week, but the game hasn’t yet been made officially available in other countries, leading many to install versions obtained from outside of mainstream app stores.
Nintendo has not set a release date for the game in the UK, and has said it plans to delay launching in more countries due to an excessive load on the servers that make the game run. The game is the first Nintendo has released for the iOS and Android mobile platforms.
Security firm Proofpoint said it had found a version of the game APK, or Android installer file, infected with a remote access tool (RAT) called DroidJack or SandroRAT which, when installed, would give an attacker control over a device.
The APK was uploaded to a malicious file repository on July 7, not long after the game’s July 4 release in New Zealand and Australia, and isn’t yet known to have infected any users’ devices, Proofpoint said.
“Many large media outlets provided instructions on how to download the game from a third party,” Proofpoint said in an advisory. “Some even went further and described how to install the APK downloaded from a third party. Unfortunately, this is an extremely risky practice.”
Devices infected by malicious applications can in turn compromise organisations’ networks, Proofpoint said.
The firm said users can find out if they have installed an infected version of the game by checking the SHA256 hash of the file or reviewing its permissions.
“Even though this APK has not been observed in the wild, it represents an important proof of concept: namely, that cybercriminals can take advantage of the popularity of applications like Pokémon GO to trick users into installing malware,” the company stated. “Just because you can get the latest software on your device does not mean that you should.”
Police in O’Fallon, Missouri said on Sunday that a group of four armed men had used Pokémon Go to lure victims to specific places in order to rob them.
The muggings, which took place in O’Fallon as well as nearby St. Louis and St. Charles counties, involved the game’s use of precise real-world locations where users are required to go in order to collect in-game items or engage in battles, police said.
The attackers used a game function that allows in-game items to be placed at a location, called a Pokéstop, making the site more attractive to players, and succeeded in mugging eight or nine people, according to police.
“Apparently [the muggers] were using the app to locate people standing around in the middle of a parking lot or whatever other location they were in,” they stated.
In another incident, 19-year-old Shayla Wiggins, of Wyoming, stumbled across a dead body in the Big Wind River while looking for a Pokéstop, according to local reports.
A 21-year-old communications graduate in Long Island, New York, fell off his skateboard while playing the game and a 22-year-old freelance web designer fell and twisted her ankle when her handset alerted her to a nearby Pokéstop.
“It vibrated to let me know there was something nearby and I looked up and just fell in a hole,” said Kyrie Tompkins, of Waterville, Maine, according to the BBC.
Pokémon GO was developed by Niantic, a spin-off of Google parent company Alphabet, and has made a name for itself with previous games incorporating location-based elements.
Are you a security pro? Try our quiz!