At a glance, "Pokémon Go Ultimate" looks a lot like the official app -- but after installation the app renames itself "PI Network." Launching it immediately causes a user's device to lock up, rending the phone unusable until the battery is removed or the device is rebooted via the Android Device Manager. Once the phone reboots, the app hides itself and generates ad-revenue by silently clicking ads in the background. It could be worse, too: ESET's blog says that the app is only one step away from being ransomware.
Two other fraudulent Pokémon apps briefly surfaced that produced fake security messages, attempting to trick users into paying for a virus removal service that doesn't exist. At present, all three apps seem to be removed from Google Play, but be on guard: more are likely to show up in the coming days. By all means, join the Pokémon revolution -- just make sure you're downloading the real app before you head out to catch 'em all. Check out the source links below for ESET's full advisory and security recommendations.