Exploiting the new Pokemon Go mobile app exploits the latest vulnerability in iOS and Android to make it possible to download and install malicious applications, such as spyware, Trojan horses and adware, by simply opening the app.
The exploit is used in a new, unnamed version of the app, which is believed to be the same one used by the hacker group Anonymous, which last month released a video showing the malicious exploits in action.
The app allows users to collect data on other people’s locations using GPS or Bluetooth.
It is also capable of sending users to malicious websites, according to researchers from the security firm Symantec.
Users of the exploit are encouraged to scan their phones with a tool to verify that they have installed the new version of Pokemon Go.
Users can download the update from the app’s official website, but the company warns users not to do so, because it could expose users to the exploit.
“We strongly advise all users to install the latest security update, as this could expose them to an exploit and may result in them becoming victims of the exploitation,” a company spokesperson told TechRadar.
“It is a recommended update, which should be installed on all iOS and Google Play Store devices running iOS 9 or later.”
Symantec said that while the exploit is now used by hackers to infect iPhones and iPads, the company does not believe it was the work of the group.
The group claims to have used the exploit to compromise Apple devices, but has not yet released proof of its exploits, with the group refusing to disclose details of the hack or details of its methodology.
The latest exploit is similar to one released last month by the same group, which exploited the same vulnerability to infect devices in the iPhone and iPad family.
The iOS vulnerability was patched last month and was used by Anonymous to release a video that showed the exploit in action on a fake iPhone.
The hackers used the same exploit to install a backdoor that was then used to infect an iPhone 6s and 6s Plus.
In a statement, the hacker’s Twitter account said it had released the latest exploit “to let the world know what’s going on with the Pokemon Go app”.
The company has already published patches for the two vulnerabilities, which Symantech said “require the developer to address the issues raised”.
Symantech told the BBC that it was “very concerned” about the use of the new exploit in Pokemon Go, which has been downloaded more than 50 million times in the first 24 hours after it was released.
“This exploit has the potential to compromise any device that has installed it,” it said.
“If a device is vulnerable to this exploit, we strongly recommend the user to uninstall the app immediately.”
Users should install the newest update, the app advises, but it is not recommended to do this.
It has not been possible to verify whether the exploit was developed by Anonymous, or if it is still active.
The company is also warning users to be cautious of apps that may be installed through the update.