How To Avoid Shady Third-Party Apps Piggybacking On Popularity Of Pokémon Go

Amid the crowds of roving Pokémon Go players out there following virtual monsters around with their phones, there are likely some who might be interested in downloading third-party or ancillary apps to help you in your quest. But like with any popular tech phenomenon, there could be dark forces lurking out there, shady apps that you should avoid.

Fans of Pokémon Go may have already encountered one such bad player, when someone released a malicious, unofficial version of the app for Android on the internet, as security firm Proofpoint reported over the weekend. Because Nintendo and Niantic have only released the game in the U.S., Australia, and New Zealand so far, players in other parts of the world had been passing around APK files (Android application package) to share it that way instead.

Folks would install these unofficial versions of the game by “sideloading” — when you tell your phone to trust a version of an app that’s not from an app store — and one of those files came with a whole bunch of malware.

One big red flag to watch out for in situations like this is to compare a downloaded app’s list of permissions to the list of permissions required by the authorized version, advises Noah Swartz of the Electronic Frontier Foundation.

“The way that you can tell if it’s malware is if it requests more permissions than the app says it does,” he explained to Consumerist. “So you can go check in the Play Store and see what permissions Pokémon Go app would normally request, and then you can see what the app on your phone requests.”

In the case of the recent fake Pokémon Go app that was being circulated, for example, the permissions it was requesting should’ve made it somewhat easy to spot: while the real version of the app only wants location data and the ability to say things to your phone, the malware version wanted access to users’ contacts, a full data connection — basically, “it wanted all of these things that the normal one didn’t,” Swartz notes.

If you really want to have a guarantee of security, Swartz recommends you only download official apps from the App Store or the Play Store, depending on your device, from verified sources like Niantic.

Then there are the third-party apps that offer to guide you on your Pokequest, or help you in some way (though cheating with “unofficial or modified software” is against Niantic’s Trainer Guidelines).

These apps won’t necessarily request the same list of permissions as the app for the game itself does, but taking a careful look at the permissions they DO ask for can also be a good way to suss out any bad actors: are they reasonable, considering what the app is supposed to do? For example, an app that promises to sort your assorted Pokémon probably won’t need access to your contacts, or access to your network.

“If they’re requesting permissions that they seem like they shouldn’t be using, to do the thing that they’re claiming to do, then there’s probably something going on,” Swartz says.

To illuminate this point, Swartz uses the example of flashlight apps that were popular back before smartphone operating systems built in the ability to turn on the light on the back of your phone.

Back then, “they’d download these apps that would say, ‘I will turn on the light on your phone!’ but if you looked at all of them, they all had these crazy permissions they wanted,” Swartz explained. “They wanted your contacts, and your location, and full network access — for a flashlight app. Which means that they’re probably doing something malicious.”

Basically, if something feels off or if it’s requesting access to your personal information, just avoid it and save yourself the trouble.

“There’s no canonical example of what the permissions should be,” for any given app, he adds. “You have to use your best judgment.”

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.