Gotta catch something nasty

Since our previous blog posting on the subject[1], the official versions of the Pokémon Go mobile app have seen a phased release across many parts of the world[2]. From 13th to 16th July, they were made available in several European countries; Canada on 17th July; and Japan on 22nd July[3], following the original releases in Australia, New Zealand and the US on 6th July.

Pokémon Go itself is an ‘augmented reality’ app, in which players negotiate real-world locations in an attempt to collect and battle Pokémon characters, in addition to collecting ‘Poké Balls’, food and other virtual items that are intended to assist with catching, feeding and nurturing the creatures that have been found.

The success and popularity of the app are exceptional. It has become the fastest game to top the charts of both the official iOS (Apple/iTunes) and Android (Google Play) app stores[4], having been installed on more than 5% of Android devices in the US within two days of release[5], and achieving more than 30 million global downloads by 20th July[6]. By 13th July, the app was already reported to have average daily usage figures greater than those for Snapchat, Tinder, Twitter, Instagram and Facebook[7].

Its popularity is such that, even before its official release in various countries, large numbers of users were obtaining versions of the app from ‘standalone’ app-download sites. Since there are often no official checks on the integrity or legitimacy of the content available from such sites, reports quickly surfaced of the appearance of fake versions of the game. Many of these versions were malicious in nature, including instances infected with a tool intended to allow remote attackers to gain access to a user’s mobile device[8]. Even after the official launch, and even on the official app marketplaces – where checks should be in place to verify the legitimacy of the applications on offer – large numbers of fake or unofficial apps were being observed, including examples that could lock users’ phones or generate adverts featuring pornographic content[9,10]. The (official) Pokémon Go game also incorporates the use of an in-game currency, which can be purchased though the app using real-world payments. This makes the creation of non-legitimate versions of the game a tempting prospect for fraudsters. These trends highlight the need for brand owners to protect their reputations – and the security of their customers – by monitoring both official and third-party app marketplaces for the appearance of unofficial apps incorporating branded content, and employing a process of enforcement to have the offending applications removed.

Any product that generates a following on the scale of that seen for Pokémon Go can also cause other security and brand-protection issues for its owner. In the days following the app’s European releases, a hacking group claimed to have carried out a denial-of-service attack – involving the use of an array of compromised computers to make repeated Internet connections to a company’s central servers – to render the game inaccessible[11]. Over much of that weekend, login access to the app was unavailable, though this was undoubtedly also partly due to the number of (real) users attempting to connect to the game – particularly from regions in which the app had not yet formally been released.

In terms of a ‘classic’ brand-protection issue, the one-week period to 14th July saw the registration of nearly 4,000 dotCom and dotNet domains with names incorporating the Pokémon trademark[12]. Many of these were undoubtedly bought by cyber-squatters, attempting to take advantage of the game’s popularity to misdirect potential customers to third-party websites, to generate revenue via the use of pay-per-click advertisements, or in the hope selling the domain names to the brand owner. In a similar case seen previously, Nintendo won the transfer of ownership, following a UDRP case, of a typo-squatted domain – – which had at different times been configured to re-direct visitors variously to a pornographic site, a gambling site and to malicious content[13].

In addition, NetNames has also noted the distribution of spam e-mails that are using the popularity of the Pokémon Go game to encourage users to click on embedded links, directing to content that may be fraudulent, malicious and/or generating revenue for third parties. In one example, the recipient is promised an opportunity to win £500-worth of the PokéCoin currency used within the app.

A technological product with the levels of success achieved by the Pokémon Go app – in only its first few weeks – can present enormous opportunity, not just for the brand owner, but also for the users of the product and for other businesses. For example, a number of organizations have seen marked increases in custom simply by virtue of being located near to a PokéStop, by opening a mobile outlet near to a popular Pokémon spot, or via the use of in-game ‘lures’ to draw Pokémon characters (and thereby Pokémon Go players) to their location[14]. However, the points raised above serve to highlight that there is also a need not only for vigilance by the users of such a product, but also a requirement for the brand owner to carefully consider its security and brand-protection requirements in response to the emerging threats.


David Barnett is Head of Analysis and Consultancy in the NetNames Brand Protection team.
His forthcoming book, ‘Brand Protection in the Online World’, will be published in December and will shortly be available to pre-order via the publisher’s website: