Infected Pokémon Go APKs being distributed online are spreading new malware across Android devices. “Droidjack” can give attackers full control over your smartphone or tablet, but it can be easily avoided.

Pokémon Go made its official debut exactly one week ago, and it has become insanely popular during that time. However, the title still isn’t available in all countries yet, which means some Android users have resorted to downloading the APK and side-loading it manually.

Although there are safe APKs out there, malicious versions that contain malware appeared less than 72 hours after the game was released, according to security firm Proofpoint. The packages contain malware that can “virtually give an attacker full control over a victim’s phone.”

Fortunately, it’s easy to avoid “Droidjack” by simply not downloading Pokémon Go APKs from untrusted sources. If you can, wait for the game to hit Google Play in your region and grab it then — the U.K. and Europe are expected to get it this week.

“Individuals worried about whether or not they downloaded a malicious APK have a few options to help them determine if they are now infected,” explains Proofpoint. “First, they may check the SHA256 hash of the downloaded APK.”

The hash of the official Pokémon Go package is 8bf2b0865bef06906cd854492dece202482c04ce9c5e881e02d2b6235661ab67. If yours doesn’t match, you might want to get rid of your existing install as soon as possible.

The second method of detecting a malicious APK is to establish what kind of permissions it has been granted. Here’s what the Droidjack malware requires to access your data and take control of your device:


In comparison, the official Pokémon Go game does not require any of the permissions highlighted in red.