Is Pokemon Go Really Malware?

The application does some things that are setting off all kinds of alarms over here…

pokemon goWhen you have young kids, it’s hard to keep them away from all of the latest fads and trending stuff. They hear about from a friend who’s either tried it, got it or seen it, and then they feel they have to try it too, or be left out of the fun. This is the lure of Pokémon Go, and its taking the country and perhaps the world, by storm.

The game was released a few days ago as of this writing, and it’s become very popular. Scores of players are walking around, head down in their smartphone’s screen, searching for Pokémon to collect and for other players to battle. When players come to a monument, statue or other type of local landmark – called a Pokestop in the game – they can meet up, battle and play together thanks to the app using geolocation and a local GPS map of the area. Players can also drop a “virtual beacon” to attract and draw other players to their location.

Many people are doing just that… and then robbing players at gunpoint. It’s been all over the news.

But let’s put that aside for a moment… the game has a much larger problem and poses what I believe is much more real and more serious threat than bumping into “Bonnie and Clyde” at a Pokestop near you. The game poses a serious security threat to users who log in with their Google Accounts.

The game seems innocent enough. It’s a free download from the App Store or from the Google Play Store and uses in-app purchases to generate revenue. It’s a common enough model that’s proven profitable for a number of different game developers. However, the biggest problem I’ve seen is with the way the app handles Google Accounts.

Every time I’ve tried to create a “Pokémon Go” account on the developer’s website, it says that the website is overloaded and that users should try again in an hour. This is a condition that hasn’t changed since the game was released. The other option you’re given is to log in with your Google Account. That will usually get you in and to chasing Pokémon up and down the street. However, you need to understand a few things about what happens with you log into Pokémon Go with your Google Account.

  1. You Give it Full Access to your Google Account
    This means it has access to EVERYTHING in your Google Account. It has access to and can read all of your email. It has access to all of your passwords. It has access to all of your credit cards stored in your Google Account. It can even change the passwords and security settings on that account, with the full access you give it. It can take your credit cards, with the CVV’s and go on a shopping spree if it wants… And YOU authorized it, just to get access to the game. Nice, huh?
  2. The Game’s Privacy Policy Considers Your Personal Data a Business Asset
    The privacy policy explicitly states that the data it collects, including PII (personally identifying information – like your credit card or other sensitive data) is a business asset. This means that it can sell the data, and that if the company goes under or is acquired by a third party, your PII goes along with the sale. You have no control over this, since you gave the game full access to your Google Account.

There is one thing that you can do to “protect” yourself. I found this in a ZDNet article, and the procedure outlined at the end of the article works; but there’s a catch. I’ll get to that in a moment…

If you wish to play the game and don’t want Niantic (the game manufacturer) to have full access to your Google Account, you can revoke that access by following these steps:

  1. Log into your Google Account and go to the Apps Connected to Your Account page.
  2. Find “Pokémon Go” in the app list, and click on it.
  3. Click the Remove Access button.
  4. When prompted, click the OK button to revoke full access.

Please Note: After you do this, Pokémon Go won’t have ANY kind of access to your Google account; but there’s no guarantee that they didn’t ultimately mine out all of your intimate PII (personally identifying information) out of your account before you revoked its access.

However, this is where that catch comes in – I’ve noticed that when you do this, the app stops working.

You’re fine for the one session you’ve got, but if you quit the app, or push it to the background, you lose access to the game. The only way I’ve been able to get it working again is to either delete the app and set it up again; or to wait for the app to fault and then present you with the game setup process, including logging in with your Google Account, again. Game play and progress appears to be preserved across reaccessing/ resetting up the game. You don’t have to REcatch ’em all.

Niantic says that the iOS version of Pokémon Go erroneously requires full access to your Google Account. However, I haven’t seen anything about them correcting the problem with a new version of the app. Strangely, the Android version doesn’t do this. Logging in with a Google Account there, provides Pokémon Go with an appropriate level of access to your Google Account.

This whole situation really bothers me… Many times, iOS users don’t seem to have a way to create a Pokémon Trainer Club account. The game says that the website is overwhelmed and it won’t let you create an account or play the game. What you don’t see, is that the rest of the site doesn’t act like it’s on an overloaded web server. Its performance is really very good.

Stranger still is that after you log in with a Google Account, performance of the game is very good, too. If the game’s website and web servers were overwhelmed with as many new account requests and game play as is being alluded to, it would show up in game performance. It doesn’t.

I think Pokémon Go is the biggest Trojan horse in the world…and everyone is giving it exactly what it wants – all of your credit card info, all pf your PII, and access to your entire (Google catered) life, which it can sell to the highest bidder whenever it wants. And we’re doing it on purpose. Game players are either completely duped or just don’t seem to care…

I am deleting the game from my iPhone. I don’t need to catch ’em all… and honestly, you don’t either, especially if you don’t want your identity stolen. Prove me wrong, Niantic…! I dare you. Prove me wrong.

UPDATE: Several hours after submitting this story for publication, Niantic posted an update to the application that reduces Google Account, account access to the Basic level, only wanting to know your name and your email address. This is definitely a step in the right direction…

Related Posts:

Stay in touch with Soft32

Soft32.com is a software free download website that provides:

121.218 programs and games that were downloaded 237.780.356 times by 402.775 members in our Soft32.com Community!

Get the latest software updates directly to your inbox