Watch Out for Malware and Scams Playing Pokémon Go

Hailed as the most popular mobile game in U.S. history, you would have to be a Dwebble that never came out from under its rock to not have heard of Pokémon Go by now.

The app attracted 21 million daily active users last week, including myself. Now everyone from Spanish police to UK’s National Society for the Prevention of Cruelty to Children, are warning users to stay safe while playing.

As a member of the Dell SonicWALL team, security and protecting our customers is always on my mind, too. But today, I want to share some of my thoughts on the threats facing Pokémon Go users, including how parents should react and tips for players to stay safe. I will also list at the end resources and online security tips for all users of the internet, not just specific games.

Pokémon Go has only been released in the United States for a short period of time and has already earned its place in the annals of pop culture history. Although I am not from the Pokémon generation, I have downloaded the app to understand the awesomeness as well as the security implications and the potential threat vectors to users. First off, I understand the excitement but also the threats… and the main one is the weakness in players. I am not referring to the lack of ability to fight a Pokémon at a Pokémon gym (a place digital characters can battle each other… parents relax, its harmless), I am speaking of the weakness to cut corners to get ahead.

Anecdotal Evidence

I started the game a few days after it was released and saw that there was a Pokémon gym near my real-world gym and went to check it out. I arrived at a local stream near a parking lot, and saw cars and motorcycles filled with people with bent necks looking at screens. They were fighting the monsters in the digital arena. I participated and saw that my six best monsters could not fight off the lowest level defender. Frustrating.  Clearly, the top monsters of this gym belonged to people who put a lot of time (or money) in improving their creatures. From the looks of a few Pokémon Trainers, I can tell the frustration was mutual.

Cutting Corners

Being in the security space, I keep my finger on the pulse of the threat landscape, both digitally and physically. I was intrigued by the initial stories of crooks using lure modules (a game item that lures digital Pokémon to a Pokéstop) to lure people into locations where they could easily rob people of their cell phones and wallets and stories of people walking into traffic and bodies of water. These incidents are localized and rare, and if you’re a parent, I wouldn’t worry about this too much when it comes to your kids. Where people should be concerned is players trying to get ahead via “cheats” and opportunities to buy cheaper game currency.

To get ahead, you have to grind, pound the streets, hit the Pokéstops and the gyms. But even if you spend 18 hours a day on the game, you will never be the best. There is always someone dropping cash into the game to get ahead. Using real currency to buy digital assets was made famous with the game Everquest with people paying thousands of dollars for rare swords etc. The trend continued with others like The World of Warcraft, Mafia Wars, Farmville, Puzzles & Dragons and it is equally true with Pokémon Go.  Because paying to play is hard to do, people cheat. Within days of the release of the game, people started searching for cheats and there were many websites available, most of them fake or laden with malware.

Image: Google search trends for the term “Pokemon Cheat” vs. “Pokemon Hacks

People will always proclaim they have found a cheat either for personal pride or to lure people into downloading malware or to liberate them of their banking details or personal information. Let me break these down for you:


Malware is any form of malicious code or software, often designed to control systems or extract data.  [We used to use the term “virus” but that is just one form of malware.] They come in many variations; and as a parent, the type I’m most concerned about are RATs. Remote Access Trojans (RATs) are used to gain access to a computer, namely webcams, microphones, speakers, mice etc. Some hackers target kids because they are easy to manipulate. Hackers will make contact with kids with threats of showing their nude photos (which were taken via webcam) or deleting their music or by releasing a secret unless they do (insert name of act). It is heart wrenching and sites created for Pokémon Go cheats may have these Trojans embedded into files they ask you to download. Other malware may be used to track a person’s key strokes in order to capture user login information or financial details. I think your imagination can create accurate uses for that information.

Activity Scams

Outside of cheats and hacks, people are searching for “free Pokécoin generator.” You have to expect that all of the results are a scam. Many promise coins for downloading X (malware) or by completing surveys. The website owner makes money from you completing surveys while you end up with nothing.

Fake Apps

Because Pokémon Go is not available in all regions, this has not stopped people from downloading “hacked” version of the app. These applications are trojanized versions of the real thing and are designed not to entertain you but to control your device. Only download the Pokémon Go app from your official app store.


To get ahead in the game you either have to grind or pay to play. To help you gain an edge, Nintendo has kindly made digital currency obtainable for up to $100 USD for 14,500 Pokécoins. Already, I have found sites promising to give you up to 30K for the same amount. You better believe that you will receive nothing.

You may feel safe if a website offers PayPal or credit card options since there can be a path to remediation if you are duped. However, the owners of that website may be placing orders with your credit card at that moment on various websites to obtain items they will sell on the secondary market. Also, if you are visiting a non-reputable website that only accepts bitcoin, expect to be ripped off since there is no way to track where it goes. A guideline is, if it is a good deal there has to be a catch.

Long story short, cheaters seldom win and this is the only location for free Pokecoins.

If you fell for the trick in the previous sentence, you need to keep reading this blog.

Playing Safe

Let me give you a few tips to help you play safe:

  • Cheats and cheap Pokécoins are usually a ruse. If you don’t want to pay, you have to grind.
  • Don’t play and drive, even at low speeds. Pokémon won’t appear on the map at high speeds and it won’t count as walking if you want to hatch your eggs.
  • Only download apps to your phone from the official store, not from illegitimate sources.
  • Play with a friend, make it a social game, there is safety in numbers.
  • Walk in open well lit areas. To crooks, walking around with your phone exposed is like walking around with $300 hanging around your neck.
  • You don’t need to be in the exact location of a Pokéstop to get your items and XP. Meaning you don’t always have to go under that bridge or trespass onto private property.
  • You don’t have to continuously watch your phone. Your phone should vibrate when a Pokémon appears near you.
  • Alternate hands & positions. Holding your phone in the same position in the same hand will lead to repetitive stress injuries over time. Carpal tunnel is not awesome.
  • Turn your phone off while crossing streets, you can’t fight a Pokémon in the middle of the road.
  • Don’t get too into this. Variety is the spice of life. There are Everquest & WOW players who wish they had a lot of time and money back.
  • Bring a portable phone charger with you along with sunscreen, water & a lunch for extended adventures.

Online Safety Tips

  • Keep your computer browsers up to date.  There is a lot of security baked into web browsers these days.  Only visit reputable websites.
  • Keep your operating system up to date for the same reason.
  • Only load personal information on encrypted sites.  Look for https:// in the address bar.
  • Have up to date malware/anti-virus software on your devices.
  • Research scam reports on any purported game hacks
  • Be cautious when buying anything online.  If they only accept bitcoin, back away.
  • Back up your files monthly.  If you get hit with a ransomware attack, you don’t have to worry about losing much data to hacks.
  • Be cautious of shortened URLs, such as Bitly.  These URL shortening services hide the domain so you are not sure if you will be visiting a legitimate page, or a hacker’s domain.

Note to Parents

Yeah, I know, times are not the same and we feel our generation was better but your grandparents and parents had the same sentiments about the Beatles and Nintendo. Pokémon Go is awesome and it forces you to walk in the real world to play; you can’t play this on the toilet. Don’t pay too much attention to the bad stories although they are real threats. If your kids are younger, teach them about putting the phone away when crossing streets or when walking near questionable people. Teach them about internet safety and how cheats actually cheat the cheater not the game. And keep an eye on your credit card if you kids beg you for Pokécoins; consider changing the password to their app store if you are worried about impulse control.  If your kids are complaining about not having enough items, take a few detours on the way home to a few Pokéstops to stock up on free items.  Just be sure to pull over and wait a few seconds.

Top image by Robert Couse-Baker via Creative Commons

About the Author: Brook Chelmo