Appendix:Pokémon GO Player's Guide/Malware

Before this begins, it should be noted that if you downloaded GO from a legitimate app store (such as Google's Play Store and Apple's App Store), it is almost certainly free from malware. Thus, you do not need to read the rest of the guide. In order to get the bad version, you must have disabled Android security and sideloaded the app.

The first thing to note is the bad version itself. It is afflicted with a tool known as Droidjack. Droidjack gives its controller full control of the phone, and monitors everything that you do on it. Its first known occurrence on GO was a little less than 72 hours after the Australian release, but it's likely that it happened before that point.

While Droidjack seems scary, it also leaves behind telltale signs that you can look at to tell if your version is infected.

App permissions

Possibly the easiest way to tell is to look at the permissions of the app, which can be found in your phone's settings. If your version is legitimate, these should be the permissions:

• Take pictures and videos
• Approximate location (network based)
• Precise location (GPS and network based)
• Modify or delete the contents of your SD card
• Read the contents of your SD card
• Find accounts on the device
• Use accounts on the device
• Full network access
• View network connections
• Access Bluetooth settings
• Pair with Bluetooth devices
• Control vibration
• Prevent phone from sleeping

If it has anything else, the game is fake, and almost certainly harmful. In particular, a DroidJack version will have permissions such as:

• Directly call phone numbers (this may cost you money)
• Read phone status and identity
• Edit your text messages (SMS or MMS)
• Receive text messages (SMS)
• Send SMS messages (this may cost you money)
• Record audio
• Modify your contacts
• Read call log
• Read your contacts
• Write call log
• Read your Web bookmarks and history
• Change network connectivity
• Connect and disconnect from Wi-Fi
• View Wi-Fi connections
• Retrieve running apps
• Run at startup

That's a long list. In particular if you see anything that makes absolutely no sense to be there or can cost you money, then it's malicious.

Another method, though not as simple, involves looking at the SHA-1 hash, which is a unique string of characters that tells whether a file is unaltered. The first string of characters below is the one associated with the legitimate app. The second is one that is known to have been used by a DroidJack version. Both are SHA-256 checksums.

8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67 - Legitimate app.

15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4 - App using a DroidJack version.

In order to check the hash, you must use a tool from an external source (there's no method of finding it that's predownloaded in your phone). There are a few online tools that allow you to do this, one good example being this: http://onlinemd5.com/ (You'd upload the app's file onto this tool in much the same way you've sidedownloaded the app to your phone).

If the app is malicious, then it can be deleted from the application manager, similarly to any other app.