Her experts Kaspersky Lab have discovered a new malicious app on the Google Play store called 'Pokemon Go Guide', which is able to gain root access rights on Android smartphones, using them to install or uninstall apps and display unsolicited ads.
The application has "down" more than 500.000 times, with at least 6.000 successful "infections". OR Kaspersky Lab has reported it Trojan at Google and the application has been removed from the Google Play. 
The global Pokemon Go phenomenon has led to a growing number of relevant applications and, inevitably, increased interest from the digital crime community. Kaspersky Lab's analysis of the Trojan Pokemon Go Guide has led to the discovery of malicious code that downloaded malware for rooting by ensuring access to the core of the Android operating system for installing and removing applications, showing ads.
The Trojan includes some interesting features that help it bypass it detection. For example, it is not launched when the victim activates the application. Instead, it waits for the user to install or uninstall another application, and then checks to see if that application is running on a real device or a virtual machine.
If it is a device, the Trojan waits an additional two hours before starting its malicious activity. Even then, the “contamination» is not guaranteed. After the Trojan connects to its command server and "uploads" details of the "infected" device, including country, language, device model and operating system version, the Trojan will wait for a response. Only when it receives this response will it proceed with further requests and the download, installation and application of additional malicious features.
This approach means that the control server can prevent the attack if it wants, bypassing users who do not want to target, or those who suspect that they are sandboxes or virtual machines, for example. This provides an additional level of protection for malware.
Once the rooting permissions are enabled, the Trojan will install its functions in the device's system folders, silently installing and uninstalling other apps as well as displaying spam advertisements to the user.
Kaspersky Lab's analysis shows that at least one other version of the Pokemon Go Guide malware was available through Google Play in July of 2016. In addition, researchers have watched at least nine other applications that have been "infected" with the same Trojan and are available on the Google Play Store at different times from December 2015.
Kaspersky Lab data shows that there have been over 6.000 successful "infections" to date, including Russia, India and Indonesia. However, since the application is geared towards English-speaking users, people in the relevant geographic areas, and many others, are also very likely to be affected.
"In the electronic world, wherever consumers go, digital criminals will run to follow them. Pokemon Go is no exception. The victims of this Trojan can, at least in the first instance, not even notice the increase in distracting and distracting advertisements, but the long-term effects of "contamination" could be far more damaging. If you have fallen victim, then someone else has entered your phone and has control over your operating system and everything you do and save on it. Even if the application is now removed from the app store, there are almost half a million people out there vulnerable to "infections," and we hope that this announcement will warn them to take appropriate action, said Roman Unuchek, Kaspersky Lab's Senior Malware Analyst.
People worried that they may come in contact with the Trojan should install a reliable security solution, such as Kaspersky Internet Security for Android on their device.
If the security scan shows that they are already "infected", the best way to remove malicious software for rooting is to back up all the data and restore the device to the factory settings.
In addition, Kaspersky Lab recommends that users always check that applications are created by a trusted developer, keep the operating system and their applications up-to-date, and not to "download" anything that looks suspicious or whose origin cannot be verified.
To learn more about Rooting TrojanPokemon Go Guide", You can read information on the dedicated site Securelist.com.
All Kaspersky Lab products detect Trojan under the name HEUR: Trojan.AndroidOS.Ztorg.ad.
