Fortnite, the sandbox video game, has become so popular that its maker, Epic Games, is ponying up $100 to $300 million to supply prize money for eSports tournaments. What it hasn’t ponied up for – at least not yet – is an Android version. Which means the bad guys are having a field day.
We reported not too long ago on the scourge of fake Fortnite Android apps spreading around the web, looking to entice desperate mobile gamers hungry for a version they can play on their Galaxy devices, et al – and because the game has not been officially released for the platform, these have been quite successful. The Google search “Fortnite for Android” is one of the first auto-fill suggestions for search terms, indicating its popularity. All too often these searches go to scam sites.
Malicious App Infects 60,000 Android Devices – But Still Saves Their Batteries
WannaCry Kill Switch Hero Faces New Charges, But Code Evals Say Little
U.S. Intelligence Cautions World Cup Travelers on Mobile Use
Fortnite is a mostly-free online multiplayer role-playing game where gamers can buy “skins” to become different characters and species, along with armor and other accoutrements; they can also build structures and do battle and generally live an alt-life within the Fortnite world. It doesn’t take itself too seriously, either: It has a cartoon look and offers a “disco bomb” that makes opposing warriors break into dance numbers.
It is, in short, fun—and has attracted, to date, 125 million active players for its most popular mode, “Battle Royale” – which is a pretty spectacular threat surface of potentially non-security-savvy consumers to go after, if you’re a cybercriminal type.
Recently, malefactors have doubled down on duping Fortnite enthusiasts, releasing YouTube videos with links to scam versions of the game. Once a faux version is installed, it asks for more downloads, one after another – and the scammers make a commission on each download. These scam apps can also spread malware.
“Epic Games is on the verge of releasing a version of its immensely popular online game Fortnite for Android users, and everyone’s excited,” said Paul Ducklin, senior technologist at Sophos, in an email interview. “Unfortunately, many people just can’t wait and are hunting for early access versions – and, guess what, cybercrooks are happy to oblige… with malware. Don’t do it!”
Of course, sticking to the official Google Play store can go a long way to solving the problem, as is the case with most malicious app issues.
“The root problem is not fake Fortnite apps per-se, but the existence of malicious apps in general, and in the excitement of the moment, an individual downloading what looks to be an app via a mobile browser vs an official app store,” said Anupam Sahai, vice president of product management at Cavirin, in an email to Threatpost. “This opens up a host of potential vulnerabilities, and with the increasing use of one’s smartphone for both business and pleasure, sometimes without any formal security management controls, the potential that this creates a vector for an enterprise breach is great.”
Then there’s the basic strategy of installing updates.
“Another reason that Android phones are at high risk is that most of them are not up-to-date,” said Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, in an email to Threatpost. “Most Android users are on the 6.0 Marshmallow version, which is several versions behind, and less than 1 percent of users are running the newest 8.1 Oreo version.”
Hack Royale: Not Just Fake Apps to Worry About
There are other Fortnite-related dangers too. Gad Naveh, advanced threat prevention evangelist at Check Point, told Threatpost that Fortnite accounts have also become lucrative targets for hacking.
“Hacking gaming accounts is as interesting – or even more – than other cloud services like Office365, Salesforce and Dropbox,” he said. “Accounts that were taken over either by phishing or weak passwords can give nice revenues. Especially for gaming hackers who are usually more interested in in-game resources than actual funds.”
He added, “Attackers are always looking for ways like phishing and social engineering to take over accounts and monetize from other scams, such as free in-game money (VBucks). As a father to a child playing this game, I noticed Fortnite developers are trying to educate players against risk in such scams – you can only buy VBucks through the in-game store – which is important step. But some users will click and fall for the promise of free gifts eventually, and preventive measures should be taken as well against phishing and malicious apps on your phone.”
Dirk Morris, chief product officer at Untangle, told us that straight-up scams are becoming popular too.
“Fortnite is an absolute phenomenon at this point, so it is naturally attracting cybercriminals,” he said. “Scams targeting unsuspecting gamers range from selling fake vBucks to presenting malicious app downloads. Users must always exercise caution when trusting third party apps, whether they are browser plug-ins, Facebook quizzes or mobile phone apps. Malware and privacy concerns require constant vigilance.”
It should be noted as well that not just consumers are at risk.
“Any enterprise that allows employees to connect their own Android phones to the corporate network is also at risk,” Juniper’s Bilogorskiy told Threatpost. “To reduce the risk of infection on Android, make sure to update to the latest version, lock your phone to only allow downloads from Google Play and avoid apps that have very few reviews.”
Fortnite is not the first popular new game to be hounded by cybercriminals. In 2016, the then-wildly popular Pokemon GO app went through a similar cycle, with legions of fake versions of the app spreading nasty malware like DroidJack, a remote-access tool.
Images courtesy of Epic Games.