Until Pokemon Go makes it way to countries outside of Australia, New Zealand, and the US, a vast majority of eager fans have little choice but to resort to obtaining the game through unofficial means, which means downloading the APK file. It's something we've outlined in this handy guide for Android users.
In the event you've obtained Pokemon Go through other sites, there's a chance it might not be the right APK. According to security software company Proofpoint, a malicious version of the game has been uploaded to various APK download sites.
(Also see: How to Download, Install, and Play Pokemon Go Right Now)
"This specific APK was modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim's phone. The DroidJack RAT has been described in the past, including by Symantec and Kaspersky. Although we have not observed this malicious APK in the wild, it was uploaded to a malicious file repository service at 09:19:27 UTC on July 7, 2016, less than 72 hours after the game was officially released in New Zealand and Australia," the firm said.
This means that there's chance that the Pokemon Go APK you downloaded is a fake, and could give anonymous individuals complete access to your phone. Here's how you can tell if the Pokemon Go APK you've downloaded is RAT-free.
(Also see: Pokemon Go Tips and Tricks)
Method 1: check the SHA-256 of your file.
The Secure Hash Algorithm or SHA is a string of characters unique to specific data. It's a way to check if a file has been altered or not by acting like a signature for a text or data file.
To calculate the SHA-256 hash of your Pokemon Go APK this is what you need to do:
- Obtain Hash Droid from the Play Store.
- Select Hash A File.
- Under Select a hash function, choose SHA-256.
- Choose the Pokemon Go APK from your Download folder.
- Hit Calculate.
- If safe you should get: 5a8679e3e4298b7b3ffac725106db12a21bdb0bcf746f44fa7e46c40dbf794aa
At the time of posting this, no updated versions of Pokemon Go have been released so it is safe to assume any other SHA-256 hash belongs to a malicious APK.
(Also see: Playing Pokemon Go in India? Here's Everything You Need to Know)
As per Proofpoint, the SHA-256 of one of the malicious APKs is 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
Method 2: Check app permissions
- On your Android device go to Settings -> Apps -> Pokemon Go
- View the Permissions section.
- Here's what it should be asking permission for:
(Also see: Pokemon Go Is Responsible for These Real Life Weird and Scary Things)
And here's what one of the malicious Pokemon Go APK asks for:
(Also see: Pokemon Go Cheatsheet: 10 Things to Know About the Game That Has Everyone Hooked)
As you can see, it would ask for access to your call logs, record audio, check your browsing history, and even send messages and make calls on your behalf. Scary.
Hopefully Niantic and The Pokemon Company rectify this by making Pokemon Go available to all regions soon. Till then though we'd advise caution prior to downloading.