IOS issue:
When users sign in with a Google account. It asks for and gets full access to their account. That means the game can read your email, send email, access Google drive documents, look at search and Maps navigation history, and access any private photos you may stored in Google.
It may be that the creators just used some sloppy programming. Instead of using the “OAuth mechanism” to get only the necessary information they need.
Android issue:
The Android app allows the side-loading of an app from the raw Android application package (APK) files. Because the global roll out has been slowed due to overloaded servers, some Android users are downloading “Pokemon Go” from dodgy places and then install the APK files because they cannot find the legitimate app supported in their area.
Cybercriminals are modifying and using these APK files as a way to transport and install their own malware.
Security firm Proofpoint noted that “this specific APK was modified to include the malicious remote-access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone.”
Most users will not be able to distinguish the standard version of “Pokemon Go” from an unsecure one. Users wont know that they have been hijacked with a malicious version of the game.