In case you just came back from vacation or live under a rock, there is a new craze going on with an augmented-reality smartphone app called Pokémon Go. It's a geocaching game, meaning it's tied to real-world locations. It's a smash hit sending people on the street, trying to catch virtual creatures in real-world locations called "Pokestops" that players can capture, train and trade.

However, the game's rapid roll out and breakaway success has its risks. It's from Niantic, a Google spin-off that makes Ingress, which is a very popular multiplayer game, but Pokémon Go has immediately hit several security and privacy-related speed bumps, and not all of them are virtual. First: Muggings In this game, players can meet in real life using the Pokestop feature to do virtual battle, and police in O'Fallon, Mo., say that a group of four individuals apparently used that feature to lure other players to remote locations with the intention of robbing them. Police said they responded to an armed robbery report at 2 a.m. on July 10, and arrested four suspects - one of whom was a juvenile - who were in a BMW. Second: The Google Login Permissions Problem Many security researchers have been warning that the initial release of the Pokémon Go app has access to many more device permissions than needed meaning a possible privacy risk. Some information security experts - such as Veracode CTO Chris Wysopal - have even been urging users to create "burner" Apple or Google accounts that get used only with the game. Third: Trojanized Apps Just 72 hours after the release of Pokémon, bad guys had Trojanized a legitimate version of the no charge Android app to include malware and released it via unofficial, third-party app stores, researchers at security firm Proofpoint said. The malicious Android application file "was modified to include the remote access tool called DroidJack - also known as SandroRAT, which would virtually give an attacker full control over a victim's phone," the researchers warn in a blog post. Gaming websites have begun publishing instructions about how users can download the app, including using side-loading - evading Google's official app store - to install them. Proofpoint said: "In the case of the compromised Pokémon Go APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk."

Stay safe out there!

The Team at Acuity