MTP Catches Aggressive Ad Displaying App in Google Play Leveraging Pokémon

Introduction

The popular app Pokémon Go quickly became the target of cyber criminals following its initial release in early July 2016. We’ve already seen reports of malicious apps purporting to be Pokémon Go in order to attract users who do not have access to the official version. To make matters worse, fake Pokémon Go apps have already been observed on the official Google Play store, with one malicious app locking up the screens of Android devices.

MTP Catches a Threat

FireEye Mobile Threat Prevention (MTP) recently enabled FireEye mobile researchers to identify one such risky Pokémon Go app that made its way into the Google Play store. The app – named “Install Pokemongo” (MD5: d915606c4ab26ec265a2377cb884770f) – was discovered on July 13, 2016, and was observed aggressively displaying advertisements in a way that Google considers inappropriate.

FireEye MTP uses a combination of semantic, dynamic and behavioral analysis to give comprehensive on-demand threat assessments. Its detection capabilities for aggressive ad libraries helped us locate this risky app a few days after the app was brought online.

On the Google Play website, the app claimed to provide guidance to Spanish speakers on how to install Pokémon Go easily and quickly, as seen on the left side of Figure 1. Since Pokémon Go was not yet available in Spain and other Spanish speaking regions at the time of writing, users looking to start catching Pokémon had a big incentive to download the risky app. 

Although some instructions are displayed, FireEye MTP revealed that this particular app inappropriately displays two types of ads that are considered a violation of Google Play’s Developer Content Policy:

  • Ads that display outside of the app serving them. 
  • Ads that are triggered by the home button or other features explicitly designed for exiting the app.

Following our discovery, we immediately notified Google of this adware and Google promptly took action to remove it from the Google Play store. Prior to its removal, the risky app was downloaded between 5,000 to 10,000 times.

Aggressively Displaying Ads

The right side of Figure 1 is the main page of the risky app, which is shown after the user starts the app and a loading page is displayed.

Figure 1. Install Pokemongo on Google Play and its main UI

As seen on this page, the app does provide some instructions (in Spanish) that claim to help users find and download Pokémon Go, but it’s unclear what happens if users follow these instructions.

After the main page, we observed that a variety of ads were displayed aggressively in a couple of scenarios.

Aggressive Ads-Displaying Scenario 1

After the app shows the main page of instructions on how to allegedly download the popular Pokémon Go app, we would expect that pressing the Android back button would exit the app. However, pressing the back button will lead us to an ad page shown on the entire screen.

Figure 2 shows a couple of examples of various ads captured by FireEye MTP. Most of the ads are to promote another app, or several apps. In one case, the ad displayed will automatically redirect the user to the promoted app’s page in Google Play if the user does not take any action within five seconds.

Figure 2. Ads examples shown in scenario 1

Aggressive Ads-Displaying Scenario 2

A few seconds after displaying the alleged installation guidance for Pokémon Go, the app Install Pokemongo will pop up a few browser windows to show a variety of ads without any user interaction. This violates Google Play’s policy that ads must be served inside the app itself.

Figure 3 shows a few examples of the ads captured by FireEye MTP. Most of these ads are to lure users into joining some online lucky contender programs. One of the lucky contender programs even claims that the user can win a pile of Pokécoin, a currency used in the legitimate Pokémon Go app. There were also cases where a virus-warning page is displayed.

Figure 3. Ads examples shown in scenario 2

Impact

Unexpected ads can impact users in a variety of ways. Unwary users may end up downloading potentially malicious apps to their device, or have their privacy compromised.

After confirming its aggressiveness, we immediately notified Google (as well as Nintendo and Pokémon Go app developer Niantic Inc.) and Google promptly took action to take the risky app down from the Google Play store. The most recent update for the risky app occurred on July 8, 2016. On July 14, 2016, prior to being removed, the app had been downloaded between 5,000 to 10,000 times, as shown in Figure 4.

Figure 4. Additional information of app Install Pokemongo on Google Play

Conclusion

Cyber criminals will always target the hottest apps to distribute malicious payloads, and with the Pokémon Go being unavailable in some countries, people will undoubtedly be driven to find other ways to install the popular app – even if it’s risky.

The current best practice for users is to simply not download apps from third-party app stores; however, as this post demonstrates, the Google Play store is not entirely immune to hosting risky apps either. Users should always exercise some caution when downloading apps to their mobile devices, and they should remain extra vigilant when following directions provided within these apps.

We recommend using FireEye’s MTP and Mobile Security Management (MSM). These products helped us capture this sneaky threat and ultimately serve to provide extra protection to complement Google Play’s in-house vetting tools.