![](\"https:\/\/media.wired.com\/photos\/5b68cf314177c301e3b9b065\/master\/pass\/android_fortnite_malware-01.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Thu, 16 Aug 2018 10:00:00 +0000<\/strong><\/p>\n Two weeks ago, <\/span>Epic Games CEO Tim Sweeney confirmed<\/a> that the Android version of Fortnite<\/em>, largely seen as the most popular game in the world<\/a>, would not be available through the Google Play Store. Instead, fans would have to install it from the web. The announcement drew heaps of attention\u2014not least of which came from peddlers of malware.<\/p>\n Fortnite<\/em> only became broadly available on Android this week. But on August 3, the day of Sweeney\u2019s announcement, WIRED quickly discovered seven sites advertising themselves as Android Fortnite<\/em> downloads. Analysis from mobile security company Lookout<\/a> found that each of those sites distributed malware to anyone who fell for the scam.<\/p>\n The finding serves as a caution to Fortnite<\/em> fans only to download from the official Epic Games site<\/a>. More importantly, it\u2019s a reminder of the real risks that come with operating outside of the Google Play Store\u2014risks that could end up extending well beyond the battle bus.<\/p>\n There\u2019s not much complexity as to why Epic Games decided to ditch the Play Store. Google takes 30 percent off the top of every purchase that goes through its official channels. One estimate pegs<\/a> Fortnite<\/em>\u2019s daily take on iOS at about $2 million. Yes, $2 million a day<\/em>. You don\u2019t need advanced calculus to see why Epic wants to skip a tithe if it can.<\/p>\n 'If I was a bad guy, I would target the largest pool of victims I could. Fortnite<\/em> seems to fit that bill.'<\/p>\n Dan Wiley, Check Point<\/p>\n On iOS, it can\u2019t. Every app on your iPhone has to route through the App Store, no exceptions. Android\u2019s an open system, though. It\u2019s more permissive. You can dig into your settings\u2014it varies by device, but you\u2019ll generally find it under some combination of \u201cSecurity\u201d and \u201cApplications\u201d\u2014and allow Chrome or any other app to download whatever you please.<\/p>\n As you might imagine, that\u2019s also where the trouble starts. The Google Play Store is not perfect<\/a>, but it has aggressive built-in malware protections<\/a>. The open internet, meanwhile, is a terrible goblin town.<\/p>\n \u201cWe have found many examples of apps that have been manipulated to deliver hostile content such as remote access Trojans, banking Trojans, cryptomining software, and other malicious software,\u201d says Dan Wiley, head of incident response at Check Point, another security firm that tracks mobile threats. \u201cThe apps look exactly like the real app and, many times, behave just like the official app.\u201d<\/p>\n Which is true of the Fortnite<\/em> impostors as well. At least to a point.<\/p>\n Lookout security researchers Adam Bauer and Christoph Hebeisen analyzed software pushed by the seven sites WIRED discovered, each of which claimed to offer the legitimate Fortnite<\/em> Android app. Many of the sites, which we won\u2019t link to here for obvious reasons, include "Fortnite" in the URL and have convincing enough landing pages featuring imagery from the game.<\/p>\n All of them distribute malware that comes from two distinct families. The first category, which Lookout calls FakeNight, plays videos that look like a Fortnite<\/em> game-loading screen, then shows a prompt that reads, \u201cMobile Verification Required.\u201d From there, you\u2019re taken to a browser window and told that if you click enough ads, you\u2019ll get a game code in return. The game code never materializes.<\/p>\n The other family, which Lookout calls WeakSignal, also presents a convincing Fortnite<\/em> loading screen but places a rotating series of programmatic ads on top of it. Eventually it tells you that you have a weak signal and that you should try again later.<\/p>\n As far as malware goes, it\u2019s not the worst outcome\u2014the grift basically enlists you in a click farm, to score money for the attacker off of ad networks. It's not a surprising outcome either. \u201cMost commonly, malware is about generating revenue, and the easiest way to do that without having any police force after you is probably adware and click fraud,\u201d says Hebeisen. \u201cFrequently there are no consequences to it.\u201d<\/p>\n More troubling, though, is that rather than lurking on some backwater download site, many of these offerings had high search placement on Bing and Yahoo. Which, yes, OK, but those combined still represent more than 12 percent<\/a> of US searches, which adds up quickly. And for nearly two weeks, the top result on both for \u201cFortnite android app\u201d was a link to one of the malware impostors. After inquiries from WIRED to both Bing and Epic Games, many of those problematic results were removed. Google had taken several Fortnite<\/em> malware hosting pages down already, citing a DMCA complaint.<\/p>\n Bear in mind, too, that this represents just a portion of the impostor Fortnite<\/em> malware that has been and will continue to circulate. In May, a cloud security company called Zscaler said it had found<\/a> a phony Fortnite<\/em> app loaded up with spyware, complete with the ability to harvest call logs. That app also prompted users for Accessibility permissions, which would have granted it access to the phone\u2019s camera and more.<\/p>\n Epic Games isn't the first major company to circumvent the Play Store tax. Amazon has operated its own Android app storefront<\/a> for years, which requires the same workarounds<\/a> as Fortnite<\/em>. It\u2019s also far from the first popular app to inspire malicious copycats. Mike Murray, Lookout vice president of security intelligence, notes that Pok\u00e9mon Go<\/em><\/a> imitators at this point number in the thousands.<\/p>\n Still, no title this popular has ever operated outside of Android\u2019s garden walls. That has unique implications.<\/p>\n \u201cThis is exactly what makes this case interesting and special,\u201d Hebeisen says. \u201cWhen we are looking at fake apps that pretend to be a particular game, and that game is available on the Play Store, there\u2019s a fairly high barrier for people to download that game from somewhere else, because they know that\u2019s not a legitimate source.\u201d<\/p>\n 'Where there\u2019s a market for malware, more malware will follow.'<\/p>\n Christoph Hebeisen, Lookout<\/p>\n Not only that, but the unprecedented demand for Fortnite<\/em> makes it an irresistible target for internet miscreants to begin with. Bigger watering holes attract more prey. \u201cA minor app not used by many people is not a large attack surface," says Check Point\u2019s Wiley. "This is one of the hottest games in town. If I was a bad guy, I would target the largest pool of victims I could. Fortnite<\/em> seems to fit that bill.\u201d<\/p>\n Or, as Hebeisen puts it, coining something of a mobile security koan: \u201cWhere there\u2019s a market for malware, more malware will follow.\u201d<\/p>\n What concerns the Lookout team more than Fortnite<\/em> copycats, though, is the idea that the developer\u2019s experiment could make dodging the Play Store\u2014and its security protections\u2014more commonplace. If Fortnite<\/em> acclimates people to downloading from the wild web, how many other developers would take a shot? Why give up nearly a third of your revenue if you don\u2019t have to?<\/p>\n \u201cIf one app does this, you might know exactly what website to go get that one app at. It\u2019s the situation where this becomes a trend, and if you want 100 apps on your phone, you have to go to 100 websites, and how do you know which one is legitimate,\u201d Murray says. \u201cIt\u2019s when this trend is normalized that we\u2019ll really see the impact.\u201d<\/p>\n Epic Games has legitimate reasons for bucking Google\u2019s fee. Google has legitimate reasons for charging it. The only true bad guys in this scenario are the predatory malware authors. But going outside the Play Store unquestionably puts Fortnite<\/em> fans at risk. It already has.<\/p>\n