8 Facts You Have to Know for the Safest Pokemon Hunt

It’s capturing the world by storm. People are leaving their homes in droves and abandoning their normal lives in an attempt to catch them all. It is a Pokémon renaissance happening in 2016.  In the early hours of the morning and the wee hours of the night, mass droves of people are heading to parks and lakes. Poke stops, the designated landmarks designed to help Poke Masters refill on poke balls and other essentials, are frequented by the young and the old. With seemingly entire countries obsessed with the game, many security experts are concerned with the permissions and information accessed by the game. In addition, there are real-world dangers in playing the game. Here are the top 8 things you need to know about Pokemon Go in order to stay safe.


1)      Accessing your Google Account:

When first signing up for the popular game, a user has the option to sign up using their Google account or through a special Pokémon Trainers club. Simply for convenience’s sake, many people opt out for the Google account registration. This just requires the user to enter their Google account login, such as an email, and a password for their Google accounts. The issue with this is that the app then has unrestricted access to all forms of a user’s Google account. The user is required to give access to the app so that the game may be played, but a user is not alerted to what the app can access, which is why it is aptly named “Full Account Access”. This proves to be problematic as the app could theoretically access photo libraries and billing information.

2)      Camera Usage:

The app’s prized feature is an AR option that brings the Pokémon to life. In order to activate the augmented reality feature, a player must allow the app to access the personal device’s camera. The AR feature on the app is a huge draw for the players in the game, as it feels similar to reality. Using the AR feature, however, requires camera permission, which is another portal for possible data leakage. People take photos with the Pokémon but in turn end up capturing street addresses, car licenses plates, possible credit card information, and many other details.

3)      GPS Tracking: Location Location Location.

Pokémon Go is an app that utilizes a user’s GPS location and camera to support its gameplay. These two permissions, however, prove to be problematic when it comes to mobile security.  The game uses GPS to track where a player is and spawn the rare Pokémon when many players are clustered together. This proves to be a high security threat because a hacker can pinpoint a player’s precise whereabouts.

4)      Not watching where you’re going:

It’s been reported previously that people are having accidents left and right from obsessive game play. From players abandoning their cars in search of the most rare Pokémon to players falling off cliffs looking for an elusive Charmander, people are putting their safety as a secondary priority to the Hitmonchan hunt.

5)      Armed robbery      

Hackers aren’t the only criminals after the players in Pokemon Go. Robberies are happening all over because of the level of game play. These low life criminals drop lures on poke stops around different cities, meant to draw more Pokemon to the poke stop. Since these lures are public and visible within the app, many players will stop by these locations hoping to use these communal lures for their own Jigglypuff hunts. This helps round up potential victims and their valuable possessions into one common area, making for an easy trap.

6)      Downloading a third party app:

Previously, the Pokemon Go app was only available in selected countries and areas. With the craze going so strong in the United States, countries like England and Canada were feeling major FOMO. Many users turned to third party apps to obtain the game to play and join in the worldwide obsession. This is a steep slope to walk down, however. Many third party apps contain malware or phishing software. Added alongside the massive amount of permissions required to play the Pokemon App, this makes it a huge security threat.

7)     Fake Apps:

A new group of dangerous applications targeting Pokémon Go users by promising cheats, tips, and other functionality. Despite their innocuous-sounding titles, the apps actually contained malicious code that either tricked users into paying for expensive bogus services or took over victims’ phones to click porn ads, among other things.

8)      Trustlook:

To ensure your safety and privacy, researchers cannot recommend enough using a security application. Using an antivirus app that deeply scans and alerts you of any data breaches is vital during this kind of social frenzy. Trustlook can protect every player from all the threats of Pokemon Go and any other threat in the market. With ID Check, Boost, SD Card Scan, Backup and Restore, and many other features, Trustlook can make sure you stay safe while in hot pursuit of Pikachu.  Download the Trustlook app here on the Google Play store today.

Trustlook in HeartBleeding

We know the Heartbleeding is going on crazy. As some of the mobile devices is also impacted.  In order to easy your scan and testing work. Here Trusltook Research team has released a tiny swiss army toolkit, Heartbleed Pulse in Google Play.

Get it on Google Play

The application is super easy to use, It contains three sections.

At the first section, it will show your device information which includes the OpenSSL library is vulnerable or not and has the heartbeat feature is enable or not.




The second section contains the app scan feature. After simple click , the app scan result will be display at all



Third section listed some patched and unpatched website.If you want to test again your website, just fill your domain name in the text box and then click “check” button and  The result will come back in seconds.




Trustlook Antivirus
Trustlook Antivirus

If you want to get more protection, you can always download and install Trustlook Antivirus to get you more protection.



Critical Vulnerability: AWS Credential Disclosure

man breaking window 

This is NOT an April Fools joke 

Trustlook Security team has discovered a critical AWS credential leaking vulnerability on many mobile applications. Due to a bad security practice, some developers, including a few large vendors, have embedded AWS credentials into their mobile applications, which allows attackers to gain access of the Amazon cloud infrastructure.

In the initial scan on cached apps in Trustlook’s cloud platform, we have found more than 50 android applications, including some very popular ones, are impacted by this critical vulnerability. As our research team is still working with the vendors to fix this vulnerability, more detailed information will be published as soon as we ensured no one would be harmed.

As for the impact, attackers can almost do anything on behalf of the developer’s AWS account, including:

1) Start or shut down existing Amazon EC2 virtual machines
2) Add or delete existing Amazon S3 storage database
3) Add or modify Amazon SNS and SQS information
4) All other Amazon services

A victim’s true story: http://goo.gl/fu0NPB The attacker compromised his AWS account, opened some extra large instances to mine bitcoin.

We reasonably believe that some of the vendors’ backend data has already been leaked.


Some of the scanning results:

Cloud Storage App, 10M – 50M installations:

Screen Shot 2014-03-29 at 11.21.21 AM


Reading and Music app, 10M – 50M installations – Yes, they tried to hide the AccessKey pair in a library file and dynamically load it. But can still be reversed:

Screen Shot 2014-03-31 at 6.27.13 PM


Popular Social App that everyone knows, encoded the key, but can be easily decoded:

Screen Shot 2014-04-02 at 4.35.44 PM


A glance of the list:

Screen Shot 2014-04-01 at 4.24.06 PM



To developers: It’s always a bad idea to hardcode the AWS credentials into your app. Because anything you put into the code/resource could be easily reversed from compiled APK file. If you really need that functionality, the “Temporary Security Credentials” is a good alternative. (http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html)