Two weeks ago, Epic Games CEO Tim Sweeney confirmed that the Android version of Fortnite, largely seen as the most popular game in the world, would not be available through the Google Play Store. Instead, fans would have to install it from the web. The announcement drew heaps of attention—not least of which came from peddlers of malware.
Fortnite only became broadly available on Android this week. But on August 3, the day of Sweeney’s announcement, WIRED quickly discovered seven sites advertising themselves as Android Fortnite downloads. Analysis from mobile security company Lookout found that each of those sites distributed malware to anyone who fell for the scam.
The finding serves as a caution to Fortnite fans only to download from the official Epic Games site. More importantly, it’s a reminder of the real risks that come with operating outside of the Google Play Store—risks that could end up extending well beyond the battle bus.
There’s not much complexity as to why Epic Games decided to ditch the Play Store. Google takes 30 percent off the top of every purchase that goes through its official channels. One estimate pegs Fortnite’s daily take on iOS at about $2 million. Yes, $2 million a day. You don’t need advanced calculus to see why Epic wants to skip a tithe if it can.
On iOS, it can’t. Every app on your iPhone has to route through the App Store, no exceptions. Android’s an open system, though. It’s more permissive. You can dig into your settings—it varies by device, but you’ll generally find it under some combination of “Security” and “Applications”—and allow Chrome or any other app to download whatever you please.
As you might imagine, that’s also where the trouble starts. The Google Play Store is not perfect, but it has aggressive built-in malware protections. The open internet, meanwhile, is a terrible goblin town.
“We have found many examples of apps that have been manipulated to deliver hostile content such as remote access Trojans, banking Trojans, cryptomining software, and other malicious software,” says Dan Wiley, head of incident response at Check Point, another security firm that tracks mobile threats. “The apps look exactly like the real app and, many times, behave just like the official app.”
Which is true of the Fortnite impostors as well. At least to a point.
Lookout security researchers Adam Bauer and Christoph Hebeisen analyzed software pushed by the seven sites WIRED discovered, each of which claimed to offer the legitimate Fortnite Android app. Many of the sites, which we won’t link to here for obvious reasons, include "Fortnite" in the URL and have convincing enough landing pages featuring imagery from the game.
All of them distribute malware that comes from two distinct families. The first category, which Lookout calls FakeNight, plays videos that look like a Fortnite game-loading screen, then shows a prompt that reads, “Mobile Verification Required.” From there, you’re taken to a browser window and told that if you click enough ads, you’ll get a game code in return. The game code never materializes.
The other family, which Lookout calls WeakSignal, also presents a convincing Fortnite loading screen but places a rotating series of programmatic ads on top of it. Eventually it tells you that you have a weak signal and that you should try again later.
As far as malware goes, it’s not the worst outcome—the grift basically enlists you in a click farm, to score money for the attacker off of ad networks. It's not a surprising outcome either. “Most commonly, malware is about generating revenue, and the easiest way to do that without having any police force after you is probably adware and click fraud,” says Hebeisen. “Frequently there are no consequences to it.”
More troubling, though, is that rather than lurking on some backwater download site, many of these offerings had high search placement on Bing and Yahoo. Which, yes, OK, but those combined still represent more than 12 percent of US searches, which adds up quickly. And for nearly two weeks, the top result on both for “Fortnite android app” was a link to one of the malware impostors. After inquiries from WIRED to both Bing and Epic Games, many of those problematic results were removed. Google had taken several Fortnite malware hosting pages down already, citing a DMCA complaint.
Bear in mind, too, that this represents just a portion of the impostor Fortnite malware that has been and will continue to circulate. In May, a cloud security company called Zscaler said it had found a phony Fortnite app loaded up with spyware, complete with the ability to harvest call logs. That app also prompted users for Accessibility permissions, which would have granted it access to the phone’s camera and more.
Epic Games isn't the first major company to circumvent the Play Store tax. Amazon has operated its own Android app storefront for years, which requires the same workarounds as Fortnite. It’s also far from the first popular app to inspire malicious copycats. Mike Murray, Lookout vice president of security intelligence, notes that Pokémon Go imitators at this point number in the thousands.
Still, no title this popular has ever operated outside of Android’s garden walls. That has unique implications.
“This is exactly what makes this case interesting and special,” Hebeisen says. “When we are looking at fake apps that pretend to be a particular game, and that game is available on the Play Store, there’s a fairly high barrier for people to download that game from somewhere else, because they know that’s not a legitimate source.”
Not only that, but the unprecedented demand for Fortnite makes it an irresistible target for internet miscreants to begin with. Bigger watering holes attract more prey. “A minor app not used by many people is not a large attack surface," says Check Point’s Wiley. "This is one of the hottest games in town. If I was a bad guy, I would target the largest pool of victims I could. Fortnite seems to fit that bill.”
Or, as Hebeisen puts it, coining something of a mobile security koan: “Where there’s a market for malware, more malware will follow.”
What concerns the Lookout team more than Fortnite copycats, though, is the idea that the developer’s experiment could make dodging the Play Store—and its security protections—more commonplace. If Fortnite acclimates people to downloading from the wild web, how many other developers would take a shot? Why give up nearly a third of your revenue if you don’t have to?
“If one app does this, you might know exactly what website to go get that one app at. It’s the situation where this becomes a trend, and if you want 100 apps on your phone, you have to go to 100 websites, and how do you know which one is legitimate,” Murray says. “It’s when this trend is normalized that we’ll really see the impact.”
Epic Games has legitimate reasons for bucking Google’s fee. Google has legitimate reasons for charging it. The only true bad guys in this scenario are the predatory malware authors. But going outside the Play Store unquestionably puts Fortnite fans at risk. It already has.
- Behind The Meg, the movie the internet wouldn't let die
- Simple steps to protect yourself on public Wi-Fi
- How to make millions charging prisoners to send an email
- Who's to blame for your bad tech habits? It's complicated
- The genetics (and ethics) of making humans fit for Mars
- Looking for more? Sign up for our daily newsletter and never miss our latest and greatest stories
