Skip to Content

Malicious Pokémon Go Fakes Infiltrate Google Play Store

Popularity Of Nintendo's New Augmented Reality Game Pokemon Go Drives Company Stock UpPopularity Of Nintendo's New Augmented Reality Game Pokemon Go Drives Company Stock Up
NEW YORK, NY - JULY 11: Two men (L) play Pokemon Go on their smartphones outside of Nintendo's flagship store, July 11, 2016 in New York City. The success of Nintendo's new smartphone game, Pokemon Go, has sent shares of Nintendo soaring. (Photo by Drew Angerer/Getty Images)Drew Angerer — Getty Images

Bad actors have been quick to leverage Pokémon Go’s thunderous popularity, and now they’ve hit a milestone worthy of the nefarious Team Rocket. According to ESET Security, a malicious app called Pokemon Go Ultimate (sic) actually made its way onto the Google Play store. According to ESET, this is the first “lockscreen” app ever found on Google Play.

Though the app appears to have been pulled, ESET reports that, when downloaded and run, the app installed not Pokémon Go, but something called “PI Network.” Anyone who ran that app would find their phone completely frozen, forcing them to restart the phone by removing the battery. After rebooting, the PI Network app seemed to disappear, but in fact continued running in the background and generating fake ad clicks.

Get Data Sheet, Fortune’s technology newsletter.

Victims of the app can find and uninstall it manually by going to their phone’s application manager.

ESET also spotted several other malicious apps, including one called “Install Pokemongo” (sic) and one called “Guide & Cheats for Pokemon Go.” Other apps promise to generate free in-app items, including Pokeballs, Pokecoins, or Lucky Eggs—but in the end, all of these are bait-and-switches, which ultimately “attempt to mislead the user into subscribing to expensive bogus services.”

The plague of malicious tricks surrounding the augmented-reality game highlights the security risk posed by Android’s relatively open app ecosystem. Though the specific apps highlighted by ESET seem to have been removed from the Play Store, a search this morning found several apps named with variations on “Install Pokémon Go.” The apps promise tips and tricks for ‘side-loading’ the game—installing it using unofficial files—a particularly appealing pitch for gamers in regions where the game isn’t available yet.

For more on Pokémon Go, watch our video.

But given the continuing plague of malicious fakes, tempted users should probably approach any non-official install file or method with extreme caution, and be circumspect even when installing support apps for the game.