Warning! Your 'Pokemon Go' app may be spying on you

500,000 users have downloaded a rogue Pokemon Go app that takes control of Android phones.

A new app based on the Pokemon Go game available on the Google Play store can seize root access rights of Android smartphones and display unsolicited ads.

The app, 'Guide for Pokemon Go', has the capability of uploading the details of the device and the user, such as country, language, device model and software version, to its command server discreetly.

The app then silently installs and uninstalls other apps and displays unsolicited ads to the user.

According to a report by Kaspersky Lab experts, the app has been downloaded more than 500,000 times, with at least 6,000 successful infections. Kaspersky Lab has reported the Trojan to Google and the app has been removed from Google Play.

The trojan includes some interesting features that help it to bypass detection. For example, it doesn't start as soon as the victim launches the app. Instead, it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual machine. If it's dealing with a device, the trojan will wait a further two hours before starting its malicious activity. Even then, infection is not guaranteed. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.

This approach means that the control server can stop the attack from proceeding if it wants to - skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. This provides an additional layer of protection for the malware.

Once rooting rights have been enabled, the trojan will install its modules into the device's system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user.

Kaspersky Lab analysis shows that at least one other version of the malicious Pokemon Guide app was available through Google Play in July 2016. Further, researchers have tracked back at least nine other apps infected with the same trojan and available on Google Play Store at different times since December 2015.

Kaspersky Lab's data suggests that there have been just over 6,000 successful infections to date, including in Russia, India and Indonesia. However, since the app is oriented towards English-speaking users, people in such geographies, and more, are also likely to have been hit.

"In the online world, wherever the consumers go, the cybercriminals will be quick to follow. Pokemon Go is no exception. Victims of this trojan may, at least at first, not even notice the increase in annoying and disruptive advertising, but the long term implications of infection could be far more sinister. If you've been hit, then someone else is inside your phone and has control over the operating system and everything you do and store on it. Even though the app has now been removed from the store, there's up to half a million people out there vulnerable to infection -- and we hope this announcement will alert them to the need to take action," said Roman Unuchek, senior malware analyst, Kaspersky Lab.

People concerned that they may face the Trojan should install a reliable security solution, such as Kaspersky Internet Security for Android, on their device. If the security scan will show that they are already infected, the best way to remove the rooting malware is to backup all data and reset the device to factory settings. In addition, Kaspersky Lab advises users to always check that apps have been created by a reputable developer, to keep their operating system and application software up-to-date, and not to download anything that looks at all suspicious or whose source cannot be verified.

• Mobiles