The Pokémon Go craze is sweeping across America. See how the game works, why everyone's so crazy about it, and all the stories that have come from it, from the game's positive impact on depression victims to armed robberies. (Jhaan Elker/The Washington Post)

Pokémon Go players are packing America's sidewalks, trying desperately to catch 'em all (Pokémon for newbies, that is) by exploring their neighborhoods with the augmented-reality app. But there may be one thing lurking in their games that they really don't want to catch: malware.

It turns out that even hackers are going crazy about Pokémon Go, according to cybersecurity researchers -- and there's a fishy Android version of the game that would make the villainous Team Rocket proud. The fake version is almost impossible to distinguish from the actual game when you start it up. But it secretly includes a kind of malware called DroidJack that can basically take over your device and steal information from it, the cybersecurity firm Proofpoint reported in a recent blog post.

Proofpoint found the fake app through a service where people submit suspicious software for review, not by actually finding the infection on people's phones — so it might not be that widespread yet. And if you downloaded Pokémon Go through Google's official Play Store, you don't have anything to worry about. You can stop reading this now and go start hunting for Pikachu.

But if you sidestepped the official app store and installed a version of the game from some sketchy website, now is the time to make sure you have the real deal.

Luckily, there is a pretty easy way to figure out whether the copy of Pokémon Go on your smartphone is legit: by looking at the app's permissions.

Most users should be able to find those by going to the settings menu on their phone, then choosing apps and selecting Pokémon Go. If you scroll down that page, there should be a permissions list that shows what kind of access the app has on your device.

Here's what it should look like if you have the real version of the game:


What Pokemon Go's permissions should look like on Android. (Proofpoint)

And here are all the permissions the bad version has with the sketchy ones highlighted in red boxes by Proofpoint:


The permissions claimed by the fake, mailcious version of Pokemon Go for Android. The red boxes show the ones that are different from the legitimate app. (Proofpoint)

If you have the fake, infected version, uninstall it now -- and consider this a teaching moment about why you should stick to official app stores: They don't always filter out every malicious app, but they are still much safer than going out into the digital wild.