Pokemon Go is Endangering Your Company’s Security

Pokemon Go isn’t all fun and games. It can be a real danger for your company’s BYOD security. Here’s how you can stop it.

Fans of Pokémon Go are quick to remind non-players the benefits of playing the interactive game. But they haven't given a thought to your company's data and security.

Players are getting exercise in their pursuit of "catching them all." And as a Science World Report article stated, "Other health benefits of Pokémon Go include positive influence on the players' emotional and mental health. It provides the opportunity for social interaction and heightens the sense of belongingness."

However, what is a benefit in someone's personal life doesn't necessarily make it a benefit in one's work life. For small and medium businesses (SMB) that allow Bring Your Own Device (BYOD), Pokémon Go creates more risks than benefits. It's why the International Association of IT Asset Managers (IAITAM) has called for organizations to ban Pokémon Go on BYOD, as well as corporate-owned devices.

"Frankly, the truth is that Pokémon Go is a nightmare for companies that want to keep their email and cloud-based information secure. Even with the enormous popularity of this gaming app, there are just too many questions and too many risks involved for responsible corporations to allow the game to be used on corporate-owned or BYOD devices," Barbara Rembiesa, CEO of IAITAM said in a formal statement.

For example, when the app was originally released, a flaw in the original user agreements gave Pokémon Go full visibility into the user's Google account. "Many people may have their work email powered by a Google domain or Gmail as the back end," explained Vlad Gostomelsky, managing consultant, with Spirent, a telecommunications testing company. "This not only violates the agreements they have with their employers, but depending on countries laws and the contents of their email, may also violate numerous laws and create PCI and HIPAA violations."

Gostomelsky also warned of GPS spoofing risks. GPS spoofing is using radio signals to cause a GPS receiver to think it is someplace else. Pokémon Go has players traveling to certain locations in order to catch the characters. By using GPS spoofing, a player is able to place themselves anywhere on the globe, instantaneously.

"With a BYOD device, the employee is allowed to access corporate resources and applications from their device," said Gostomelsky. "If an employee installs a third party application to help them with GPS spoofing, they may inadvertently be installing malware, which will not only steal their personal information but may also compromise their employer or worse yet spread to the employer's network."

Speaking of malware, security company Zscaler found an Android SMS Trojan disguised as the Pokemon Go app, which, once downloaded, secretly sends SMS to premium numbers that ends up costing the victim money. "Although this threat is targeted toward end users rather than organizations," said Deepen Desai, director of security research at Zscaler, "If it is a corporate issued mobile device then it may cause financial loss to the organization as well."

The ThreatlabZ also found a variant of aggressive auto clicker making its way to Google's Playstore. The malware downloaded an auto clicker onto the phone that opens several pages and clicks on advertisements.

"The ClickFraud malware also leaks victim's sensitive information like device info, SIM details, time zones and location which may serve as a gateway for further attacks and infection to the SMBs using BYOD," Desai explained. Luckily, Google caught this in the Playstore before it did much damage, but cybercriminals will continue to pursue opportunities to spread malware, especially if they saw any level of success with a previous attempt.

Pokémon Go-related malware has been discovered in fake game apps found on third-party sites or outside the unofficial app marketplace. When the app was originally released, its availability was limited to only a handful of countries. Malicious copies were quickly made available, and unsuspecting users may unwittingly download one of these dangerous versions.

At least one was found to be loaded with a remote controlled tool (RAT) called DroidJack, which could give a cybercriminal access to any data stored on the device, including sensitive company emails and intellectual property.

Beware dropping lures, as well. Desai added that cybercriminals are using lures are hiding the malware payload.

While malware and data breaches may be the initial focus of the game's BYOD security risks, Pokémon Go presents other types of threats to the SMB. As Kyle Cebull pointed out in Smart Data Collective, the game requires users to utilize their cameras to capture a Pokémon character.

Many gamers like to take screen shots of their capture and post it on social media. "For those businesses dealing with extremely sensitive data or those that have company security policies that don't allow for camera use — this could be a massive issue," Cebull wrote.

And while this may not be a direct BYOD security risk, IAITAM's Rembiesa warned that playing Pokémon Go on BYOD could end up encouraging bad and risky mobile device behaviors.

"Pokémon Go must be considered a 'rogue download,' which is any software program downloaded onto a device that circumvents the typical purchasing and installation channels of the organization," she said in a statement.

To better protect company data, both Gostomelsky and Desai recommended that SMBs enforce strict Mobile Device Management policies to avoid such scam apps, as well as enforce usage of mobile security products to restrict such infections and block post-infection activity.

Yes, there are plenty of benefits to Pokémon Go players, but those benefits shouldn't overshadow the risks that playing the game on BYOD can cause employers (or the user's own personal information). Catching Pikachu shouldn't cost anyone their job.