{ "id": "805fcd40-8d73-49be-bf09-e29e68d8866e", "created_at": "2026-04-06T03:36:18.073915Z", "updated_at": "2026-04-10T13:12:53.863373Z", "deleted_at": null, "sha1_hash": "ef97f2b529e75bacb34cc24851d2cace7e1e6bb5", "title": "DroidJack Uses Side-Load - Backdoored Pokemon GO Android App Found | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1422950, "plain_text": "DroidJack Uses Side-Load - Backdoored Pokemon GO Android\r\nApp Found | Proofpoint US\r\nBy July 07, 2016 Proofpoint Staff\r\nPublished: 2016-11-03 · Archived: 2026-04-06 02:12:55 UTC\r\nOverview\r\nPokemon GO is the first Pokemon game sanctioned by Nintendo for iOS and Android devices. The augmented\r\nreality game was first released in Australia and New Zealand on July 4th and users in other regions quickly\r\nclamored for versions for their devices. It was released on July 6th in the US, but the rest of the world will remain\r\ntempted to find a copy outside legitimate channels. To that end, a number of publications have provided tutorials\r\nfor \"side-loading\" the application on Android. However, as with any apps installed outside of official app stores,\r\nusers may get more than they bargained for.\r\nIn this case, Proofpoint researchers discovered an infected Android version of the newly released mobile game\r\nPokemon GO [1]. This specific APK was modified to include the malicious remote access tool (RAT) called\r\nDroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone.\r\nThe DroidJack RAT has been described in the past, including by Symantec [2] and Kaspersky [3]. Although we\r\nhave not observed this malicious APK in the wild, it was uploaded to a malicious file repository service at\r\n09:19:27 UTC on July 7, 2016, less than 72 hours after the game was officially released in New Zealand and\r\nAustralia.\r\nLikely due to the fact that the game had not been officially released globally at the same time, many gamers\r\nwishing to access the game before it was released in their region resorted to downloading the APK from third\r\nparties. Additionally, many large media outlets provided instructions on how to download the game from a third\r\nparty [4,5,6]. Some even went further and described how to install the APK downloaded from a third party [7]:\r\n“To install an APK directly you'll first have to tell your Android device to accept side-loaded apps. This can\r\nusually be done by visiting Settings, clicking into the Security area, and then enabling the \"unknown sources\"\r\ncheckbox.\"\r\nUnfortunately, this is an extremely risky practice and can easily lead users to installing malicious apps on their\r\nown mobile devices.. Should an individual download an APK from a third party that has been infected with a\r\nbackdoor, such as the one we discovered, their device would then be compromised.\r\nIndividuals worried about whether or not they downloaded a malicious APK have a few options to help them\r\ndetermine if they are now infected. First, they may check the SHA256 hash of the downloaded APK. The\r\nlegitimate application that has been often linked to by media outlets has a hash of\r\n8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67, although it is possible that there are\r\nupdated versions already released. The malicious APK that we analyzed has a SHA256 hash of\r\n15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4.\r\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 1 of 10\n\nAnother simple method to check if a device is infected would be to check the installed application’s permissions,\r\nwhich can typically be accessed by first going to Settings -\u003e Apps -\u003e Pokemon GO and then scrolling down to the\r\nPERMISSIONS section. Figure 1 shows a list of permissions granted to the legitimate application. These\r\npermissions are subject to change depending on the device’s configuration; for example the permissions “Google\r\nPlay billing service” and “receive data from Internet” are not shown in the image but were granted on another\r\ndevice when downloading Pokemon GO from the Google Play Store. In Figures 2 and 3, the outlined permissions\r\nhave been added by DroidJack. Seeing those permissions granted to the Pokemon GO app could indicate that the\r\ndevice is infected, although these permissions are also subject to change in the future.\r\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 2 of 10\n\nFigure 1: Granted permissions from legitimate Pokemon GO APK\r\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 3 of 10\n\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 4 of 10\n\nFigure 2: Granted permissions from the backdoored Pokemon GO APK (first screenshot)\r\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 5 of 10\n\nFigure 3: Granted permissions from backdoored Pokemon GO APK (second screenshot)\r\nThe infected Pokemon GO APK has been modified in such a way that, when launched, the victim would likely not\r\nnotice that they have installed a malicious application. Figure 4 shows the startup screen from the infected\r\nPokemon GO game, which is identical to the legitimate one.\r\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 6 of 10\n\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 7 of 10\n\nFigure 4: Infected Pokemon GO start screen; it appears identical to that of the legitimate application\r\nAfter inspecting the infected game further, when compared to the legitimate game three classes stand out that have\r\nbeen added by the attacker. Figure 5 shows the classes from the legitimate game while Figure 6 shows the classes\r\nfrom the infected game, including the following added classes:\r\na\r\nb\r\nnet.droidjack.server\r\nFurthermore, this DroidJack RAT has been configured to communicate to the command and control (C\u0026C)\r\ndomain pokemon[.]no-ip[.]org over TCP and UDP port 1337 (Fig. 7). No-ip.org is a service used to associate a\r\ndomain name with a dynamic IP address like that generally assigned to home or small business users (as opposed\r\nto a dedicated IP address), but is also used frequently by threat actors, along with other similar services like\r\nDynDNS. At the time of analysis, the C\u0026C domain resolved to an IP address in Turkey (88.233.178[.]130) which\r\nwas not accepting connections from infected devices.\r\nFigure 5: Legitimate Pokemon GO classes\r\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 8 of 10\n\nFigure 6: Infected Pokemon GO classes with highlighted malicious classes\r\nFigure 7: Hardcoded C\u0026C domain and port\r\nConclusion\r\nInstalling apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never\r\nadvisable. Official and enterprise app stores have procedures and algorithms for vetting the security of mobile\r\napplications, while side-loading apps from other, often questionable sources, exposes users and their mobile\r\ndevices to a variety of malware. As in the case of the compromised Pokemon GO APK we analyzed, the potential\r\nexists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network,\r\nnetworked resources are also at risk.\r\nEven though this APK has not been observed in the wild, it represents an important proof of concept: namely, that\r\ncybercriminals can take advantage of the popularity of applications like Pokemon GO to trick users into installing\r\nmalware on their devices. Bottom line, just because you can get the latest software on your device does not mean\r\nthat you should. Instead, downloading available applications from legitimate app stores is the best way to avoid\r\ncompromising your device and the networks it accesses.\r\nReferences\r\n1.http://pokemongo.nianticlabs.com/en/\r\n2.http://www.symantec.com/connect/blogs/droidjack-rat-tale-how-budding-entrepreneurism-can-turn-cybercrime\r\n3.http://www.welivesecurity.com/2015/10/30/using-droidjack-spy-android-expect-visit-police/\r\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 9 of 10\n\n4.https://www.theguardian.com/technology/2016/jul/07/how-to-get-pokemon-go-uk\r\n5.http://www.wired.co.uk/article/pokemon-go-out-now-download-ios-android\r\n6.http://www.androidpolice.com/2016/07/07/pokemon-go-now-live-several-countries-including-australia-new-zealand-possibly/\r\n7.http://arstechnica.com/gaming/2016/07/pokemon-go-ios-android-download/\r\nIndicators of Compromise (IOC)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4 SHA256\r\nBackdoored\r\nPokemon GO\r\nAPK\r\nd350cc8222792097317608ea95b283a8 MD5\r\nBackdoored\r\nPokemon GO\r\nAPK\r\npokemon.no-ip.org Domain DroidJack C\u0026C\r\n88.233.178.130 IP DroidJack C\u0026C\r\nSelect ET Signatures that would fire on such traffic:\r\n2821000 || ETPRO MOBILE_MALWARE Pokemon GO AndroidOS.DroidJack DNS Lookup\r\n2821003 || ETPRO MOBILE_MALWARE AndroidOS.DroidJack UDP CnC Beacon\r\nSource: https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nhttps://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app" ], "report_names": [ "droidjack-uses-side-load-backdoored-pokemon-go-android-app" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446578, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef97f2b529e75bacb34cc24851d2cace7e1e6bb5.pdf", "text": "https://archive.orkl.eu/ef97f2b529e75bacb34cc24851d2cace7e1e6bb5.txt", "img": "https://archive.orkl.eu/ef97f2b529e75bacb34cc24851d2cace7e1e6bb5.jpg" } }