2016-09-02 - ANDROID APP - GUIDE FOR POKEMON GO

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-09-02-Guide-for-Pokemon-Go-app-traffic.pcap.zip   2.4 MB (2,388,662 bytes)

• 2016-09-02-Guide-for-Pokemon-Go-app-traffic.pcap   (2,698,723 bytes)

• 2016-09-02-Guide-for-Pokemon-Go-apk-file.zip   2.1 MB (2,136,070 bytes)

• com.pokemon.gofor.guide.apk   (2,250,397 bytes)

 

NOTES:

• The "e;Guide for Pokemon Go"e; was an Android app available on Google Play.
• The developer is Markersel, who only had this one app on Google Play.

• I ran across a link to an APK file with the same name on gp.apiv7[.]com, which is a domain that was registered through GoDaddy.
• I installed the app from gp.apiv7[.]com on an old Samsung Galaxy S3 that I'd wiped and cleared the phone number from.

• Saw callback traffic over the wireless connection to at least two domains associated with Chinese individuals or organizations.
• Both the Google Play and the gp.apiv7[.]com versions of the app had the same callback traffic.
• Apps like this created by independent or small-scale developers based in China on Google Play are common enough, so the callback traffic isn't much of an issue.

• Ultimately, I couldn't find anything actually malicious in either version of the app through the network traffic.

 

IMAGES

Shown above:  Permissions requested when installing the app on an Android phone.

 

Shown above:  Screen shot of the app when opened on the phone.

 

Shown above:  A different (perhaps newer) version of the app is on Google Play.

 

Shown above:  Wireless network traffic from the phone using the gp.apiv7[.]com version of the app.

 

Shown above:  Wireless network traffic from the phone using the Google Play version of the app.

 

Shown above:  Nothing really on the traffic when I used tcpreplay on Security Onion with Suricata and the ETPRO ruleset.

 

Shown above:  The only interesting thing I saw reading the pcap with Snort using the subscriber ruleset.

 

TRAFFIC

ASSOCIATED DOMAINS:

• 104.20.62[.]178 port 80 gp.apiv7[.]com - GET /apk/googleplay/com.pokemon.gofor.guide.apk
• 52.220.59[.]122 port 80 - api.jigoolng[.]com - GET /only/gp0715/1.html?[long string of ASCII characters representing hex values]
• 110.173.196[.]36 port 80 - alog.umeng[.]com - POST /app_logs
• 106.39.219[.]1 port 80 - s.appjiagu[.]com:80 - POST /pkl16.html
• 36.110.213[.]226 port 80 - a.appjiagu[.]com - POST /jiagu/t/infos
• 36.110.213[.]226 port 80 - a.appjiagu[.]com - POST /jiagu/mark/upgrade

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  d3c91d70b028537d275e603bd36a14bc42555f089e5db6d17e3a652ff99ecd0d
  File name:  com.pokemon.gofor.guide.apk

 

 

Click here to return to the main page.