Major security and privacy concerns have arisen over Pokémon Go.
The Android and iOS app has become a phenomenon, with 2.94 million tweets from users in the UK – where the game isn’t even officially available yet.
But hackers are spreading malware through the app. Pokémon Go is currently only available in certain countries, with eager trainers in countries such as the UK, but that hasn’t stopped Android users from "sideloading" the app onto their phone, outside of Google’s Play Store.
The malicious version of the app was discovered by Proofpoint, whose users discovered a version of the Pokémon GO program that included a remote access tool, or RAT, called Droidjack, which they say can give an attacker “full control over a victim’s phone.”
However, users who actually have the app (using US or other international accounts) should be relieved to find that separate reports of privacy concerns aren’t as damning as first thought.
While the app is granted ‘full access’ to their Google account on Apple devices, the listed permission is somewhat misleading and is nowhere near as invasive as it seems.
Some execs within the IT and games industry have expressed concerns, while others have downplayed the security issues.
Treating Pokemon Go like the scapegoat for internet privacy and security concerns which have existed for years is hugely unfair.
— Liam Esler (@liamesler) July 12, 2016
“‘Full account access’ is not the best wording, and should probably be changed on Google’s end,” Rubenstein wrote.
“My best guess for what is happening is that one of the scopes is a legacy ‘login’ scope from OAuth1 which may be leading the UI to default to ‘Full account access’, when in reality, it only has the above perms.”
Niantech, the app’s developer, has responded to this controversy, saying: “We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account.
“However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected.
“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”
The game has become a hit since launching last week in certain territories.
Pokemon GO is just insane right now. This is in Central Park. It's basically been HQ for Pokemon GO. pic.twitter.com/3v2VfEHzNA
— Jonathan (@IGIhosT) July 11, 2016
UPDATE: Pokémon Go has been updated to fix the Google access bug