2016-09-02 - ANDROID APP - GUIDE FOR POKEMON GO

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-09-02-Guide-for-Pokemon-Go-app-traffic.pcap.zip   2.4 MB (2,388,662 bytes)

• 2016-09-02-Guide-for-Pokemon-Go-app-traffic.pcap   (2,698,723 bytes)

• ZIP archive of the APK file:  2016-09-02-Guide-for-Pokemon-Go-apk-file.zip   2.1 MB (2,135,778 bytes)

• com.pokemon.gofor.guide.apk   (2,250,397 bytes)

 

NOTES:

• The Guide for Pokemon Go is an Android app available on Google Play.
• The developer is Markersel who only has this one app on Google Play.

• I ran across a link to an APK file with the same name on gp.apiv7.com, which is a domain registered through GoDaddy.
• I installed the app from gp.apiv7.com on an old Samsung Galaxy S3 that I'd wiped and cleared the phone number from.

• Saw callback traffic over the wireless connection to at least two domains associated with Chinese individuals or organizations.
• Both the Google Play and the gp.apiv7.com versions of the app had the same callback traffic.
• Apps like this created by independent or small-scale developers based in China on Google Play are common enough, so the callback traffic isn't much of an issue.

• Ultimately, I couldn't find anything actually malicious in either version of the app through the network traffic.

 

IMAGES

Shown above:  Permissions requested when installing the app on an Android phone.

 

Shown above:  Screen shot of the app when opened on the phone.

 

Shown above:  A different (perhaps newer) version of the app is on Google Play.

 

Shown above:  Wireless network traffic from the phone using the gp.apiv7.com version of the app.

 

Shown above:  Wireless network traffic from the phone using the Google Play version of the app.

 

Shown above:  Nothing really on the traffic when I used tcpreplay on Security Onion with Suricata and the ETPRO ruleset.

 

Shown above:  The only interesting thing I saw reading the pcap with Snort using the subscriber ruleset.

 

TRAFFIC

ASSOCIATED DOMAINS:

• 104.20.62.178 port 80 gp.apiv7.com - GET /apk/googleplay/com.pokemon.gofor.guide.apk
• 52.220.59.122 port 80 - api.jigoolng.com - GET /only/gp0715/1.html?[long string of ASCII characters representing hex values]
• 110.173.196.36 port 80 - alog.umeng.com - POST /app_logs
• 106.39.219.1 port 80 - s.appjiagu.com:80 - POST /pkl16.html
• 36.110.213.226 port 80 - a.appjiagu.com - POST /jiagu/t/infos
• 36.110.213.226 port 80 - a.appjiagu.com - POST /jiagu/mark/upgrade

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  d3c91d70b028537d275e603bd36a14bc42555f089e5db6d17e3a652ff99ecd0d
  File name:  com.pokemon.gofor.guide.apk

 

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-09-02-Guide-for-Pokemon-Go-app-traffic.pcap.zip   2.4 MB (2,388,662 bytes)
• ZIP archive of the APK file:  2016-09-02-Guide-for-Pokemon-Go-apk-file.zip   2.1 MB (2,135,778 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.