They are organized by category such as Pokemon Moves, Music, Menu Sounds, etc. SoundsĪll sound effects and music that are mined are found here. Assets are organized based on category such as Pokemon, Items, Clothing, etc. 3D AssetsĪll 3D models and their textures (if present) of all assets that we mine are located here. Assets are organized based on category such as Pokemon, Items, Backgrounds, etc. Folder Structure ImagesĪll 2D images of all assets that we mine are located here. This repo is organized based on category and is a combination of downloaded/remote assets and assets found inside the APK.
We advise users to be vigilant when downloading software related to Pokémon Go, especially from unknown sources.Repository of all mined assets including sprites, sounds, and news items. We anticipate that more attacks leveraging Pokémon Go will surface in the future. It is also worth noting that since the vast majority of players use their Gmail accounts to register a Pokémon Go account, it seems reasonable to assume that other attacks may stem from these accounts being compromised by MSIL/PokBot.A!tr.pws, such as identity theft. Fortunately, Niantic now permanently bans user accounts that it identified to be using bots. Therefore, it makes sense for cybercriminals to target Pokémon Go users who opt to use bots, as there is a high likelihood that their profiles are levelled-up and are therefore profitable. With so many people getting hooked into Pokémon Go, it is not hard to imagine that some players may be willing to purchase Pokémon Go accounts that have an already levelled-up profile. “Contas Roubadas” are Portugese words that mean “Stolen Accounts”, while “Senha” translates to “Password.”īased on the logs present in the email account, some users have already taken the bait and keyed in their credentials to this bogus application. Instead, it simply forwards the keyed Pokémon Go credentials to a predefined email address when the user clicks the “~ Login ~” button:Īn example of an email issued by the malware is as follows:
Ultimately, the code of this application has nothing to do with Pokémon Go. ” button, on the other hand, only displays the following prompt: To make it look realistic, the “… Site” button in the interface opens a GitHub repository site of a legitimate but unrelated Pokémon Go Bot on the browser. It lures the user into thinking that logging in with their credentials will allow the Bot to automatically enhance their accounts. The package contains a file named “” (detected as MSIL/PokBot.A!tr.pws) that displays the following user interface:Īs can be seen above, this interface asks for the user’s Pokémon Trainer Club (PTC) credentials, or the Google email credentials used in the Pokémon Go account. The fake Pokémon Go Bot arrives as a package that appears to target Portuguese-speaking users: As such, many Pokémon Go players use Pokémon Go Bots in order to gain an advantage in the game. A Pokémon Go Bot is an application that works as a fake Pokémon trainer in order to level up a user’s account without putting in any effort.
This time we have seen a new attack that takes aim at Pokémon Go users themselves, in the form of a fake Windows-based Pokémon Go Bot.
So far, we have seen backdoored Pokémon Go apps, lockscreen apps, scareware apps, SMS spam, as well as Windows ransomware. Pokémon Go’s rapid rise in popularity has attracted cybercriminals to leverage its hype for their malicious intents.