Proofpoint found the fake app through a service where people submit suspicious software for review, not by actually finding the infection on people's phones — so it might not be that widespread yet. And if you downloaded Pokémon Go through Google's official Play Store, you don't have anything to worry about. You can stop reading this now and go start hunting for Pikachu.
But if you sidestepped the official app store and installed a version of the game from some sketchy website, now is the time to make sure you have the real deal.
Luckily, there is a pretty easy way to figure out whether the copy of Pokémon Go on your smartphone is legit: by looking at the app's permissions.
Most users should be able to find those by going to the settings menu on their phone, then choosing apps and selecting Pokémon Go. If you scroll down that page, there should be a permissions list that shows what kind of access the app has on your device.
Here's what it should look like if you have the real version of the game:
And here are all the permissions the bad version has with the sketchy ones highlighted in red boxes by Proofpoint:
If you have the fake, infected version, uninstall it now -- and consider this a teaching moment about why you should stick to official app stores: They don't always filter out every malicious app, but they are still much safer than going out into the digital wild.