Gaming —

The tireless, automated bots that want to play Pokémon Go for you

GPS-spoofing programs open up a big cheating problem for developer Niantic.

Why go to the trouble of playing <i>Pokémon Go</i> when this bot offers to do it for you?
Why go to the trouble of playing Pokémon Go when this bot offers to do it for you?

Last week, we took a look into the growing world of Pokémon Go hacks that reveal the location of usually hidden Pokémon nearby. Now, a new wave of PC-based Pokémon Go "bots" take the hacking a step further, spoofing locations and automating actions to essentially play the game for you while you sit in the comfort of your own home.

There are a number of competing bots out there, from the open source Necrobot to the pre-compiled Pokébuddy to MyGoBot, which recently started charging $4.99 for its automation tool following a three-hour free trial. All of them work on the same basic principles, sending artificial data to the Pokémon Go servers to simulate an extremely efficient, entirely tireless player.

The user first provides a latitude and longitude as a starting point (the center of any major city is a good place to start) and some Pokémon Go account credentials to authenticate with the servers. The bot then finds any nearby Pokémon (using those previously discussed mapping functions) and simulates a "walk" to the nearest one by sending spoofed GPS coordinates to the server at appropriate intervals. When the bot gets close enough to a Pokémon, it can use a simple API call to quickly catch it before moving on to the next target.

Bots can also trade in duplicate Pokémon for resources, collect new Pokéballs when passing Pokéstops, incubate and hatch eggs, evolve Pokémon, and even prioritize which Pokémon to catch and which to ignore based on their individual stats. You know... all that boring stuff you'd be doing if you were playing the game instead of cheating at it.

Rather than Pokémon Go's compelling augmented reality interface, the bots simply provide "players" with a running textual readout of their quickly rising stats and virtualized activities. The automation of every single in-game move means a bot can advance in the game much more quickly than humanly possible. In Ars' tests, a Pokémon Go bot was able to earn about 50,000 experience points an hour, reaching level 15 in a single afternoon while running in the background. With 24/7 play, a bot could easily start reaching the diminishing returns of the game's higher levels in a matter of days.

Unlike The Division, which recently saw its direct player-vs-player competition practically ruined by a wave of cheaters, automation has less practical effect on the exploration-based gameplay of Pokémon Go. Automating Pokémon Go is in some ways like writing a computer program to slowly count to a million rather than going through the trouble of counting yourself—except in this case, instead of counting, you're depriving yourself of an excuse to go get some fresh air and exercise (and maybe meet some fellow players along the way).

Still, if use of these kinds of bots becomes widespread, the Pokémon Go ecosystem could be profoundly impacted. A normal player, limited by time and physical constraints, wouldn't stand a chance against the Pokémon collection a bot user can amass in just a few days of automated use. Such automated players would have a huge advantage in trying to take over any nearby gyms or defend them from the opposition.

MyGoBot might be pretty efficient, but it's a lot less interesting to look at than an actual game of <i>Pokemon Go</i>.
Enlarge / MyGoBot might be pretty efficient, but it's a lot less interesting to look at than an actual game of Pokemon Go.

While these automation tools are explicitly against Pokémon Go's Terms of Use, it's unclear just how effective Pokémon Go developer Niantic is in detecting and stopping their use. There are plenty of reports of users getting a "soft ban" while using bots, but most of those come from easy-to-detect GPS fraud, such as a player suddenly "warping" from China to the USA in a five-minute span.

Players that avoid such egregious cheating and limit their simulated walk speed to around 30km/h seem relatively safe from detection at this point (though we suggest using a dummy account if you're just curious and don't want to risk a ban). MyGoBot is confident enough in its ability to avoid detection that its webpage boasts that "it’s safe to stay [sic] MyGoBot will continue being stable with consistent functionality for the foreseeable future."

This isn't a new problem for Niantic. The company has been engaged in a constant battle with cheaters in its first game, Ingress, since its late 2013 launch. Niantic doesn't generally discuss the details of its cheat detection algorithms (and hasn't responded to a request for comment from Ars), but the developer regularly rolls out new updates "specifically focused on agents trying to falsify their location and automate gameplay," as an update note from May put it.

Despite these efforts, Ingress players still often complain that Niantic's algorithms aren't very effective at finding or deterring players who want to spoof their locations or use multiple accounts to increase their relative in-game power. Instead, the game has come to rely on an "honor code" that encourages players to report cheaters as they find them.

"Ingress still has a spoofing problem, if not much worse than before," an anonymous user said last year in a Quora topic discussing cheating in Ingress. "I am part of a community that has reported dozens of accounts for spoofing on an international scale. Getting a response from Niantic is 'iffy' at best. Sometimes they get banned. Most of the time we (the reporters) are ignored."

Ingress' adversarial nature provided a bit of a natural check on widespread cheating, though. If a player on one of the game's two massive factions (The Enlightened and The Resistance) notices a player on the other side playing suspiciously, it's in their interest to report the opposing cheater. Things might not work quite so easily in Pokémon Go, where it can be hard to tell at a glance if the extremely powerful Pokémon currently sitting on a nearby gym was acquired through honest play or automated botting.

There are more heuristic algorithms Niantic could roll out to try to detect automated play as it happens. Accounts that capture dozens of Pokémon in a span of 60 seconds, for instance, or that are able to play non-stop for days on end can probably be singled out as bots. Niantic would have to be careful to ensure these algorithms don't generate false positives that ban honest players, though. What's more, bot-makers could quickly reverse engineer what behaviors are leading to bans and rewrite their software to act more human.

One thing's for sure: with a game as popular as Pokémon Go, the cheating problem is likely to get worse before it gets better. Welcome to the future, where we write software to pretend to walk around catching pretend monsters instead of doing it ourselves.

Channel Ars Technica