About half a million Pokémon Go players were duped into downloading a rogue and malicious Android app masquerading as a "Guide for Pokémon Go" that was available for download on the Google Play store until recently. Kaspersky Lab researchers estimate that the phony app managed to successfully infect at least 6,000 victims' phones with the malicious malware before it was removed from the Google Play Store after researchers reported it.
"In the past few months, almost six million people gave Pokémon Go a try," Kaspersky Lab's Kate Kochetkova wrote in a blog post published 14 September. "It's no wonder that the massively popular game quickly caught the attention of cybercriminals."
Researchers found that the latest Trojan - HEUR:Trojan.AndroidOS.Ztorg.ad - included malicious code that rooted victims' devices and installed various other malicious files and unwanted apps.
After a user installed the app, the malware remained dormant for a while in order to determine whether it was on a real phone or a virtual machine used by security experts to look for viruses.
Once confirmed that it was on a real device, the Trojan then sent a message over to the cybercriminials who created it with detailed information about the infected device such as the model, OS version, default language, country and more.
After the information was analysed and the victim was deemed suitable enough to meet their needs, the cybercriminal could then order the app to install hidden software to root the system, covertly install other unwanted apps and flood the user's phone with ads.
"Advertisements are rarely pleasant," Kochetkova writes. "It's one thing to watch ads from Google... It's quite another thing when criminals infect your phone with malware to display banners all the time.
"However, the worst part of this infection is hidden: Guide for Pokémon Go can secretly install any apps on your device. For now, criminals have chosen a relatively mild way to earn money: ads. Tomorrow, they may decide to increase their income by locking your device and demanding ransom - or stealing money from your bank account."
Prior to its removal from the store, researchers said the Trojan targeted users from English-speaking regions and infected devices in Russia, India and Indonesia among others.
They also noted that at least one other version of the app in question was available through the Google Play Store in July, shortly after the wildly popular augmented reality game was released. At least nine other apps on the Google Play Store were also found to be infected with the same Trojan module at different times since December 2015 - including a "Digital Clock" app that garnered over 100,000 downloads.
Since its release in early July, Pokémon Go has swept the globe, encouraging millions of users to explore their surroundings and capture pocket monsters via their smartphones.
Although the initial hype surrounding the hit mobile game seems to have died down, app analysis firm SensorTower reported that the game pulled in over an estimated $440m (£330.9m) with developer Niantic garnering a net revenue of more than $308m so far.
The GPS-powered game still continues to rake in over an estimated $4m in daily net revenue worldwide, the firm said.