Don’t download it! Fake Fortnite app ends in malware…

Are you a Fortnite player?

Hundreds of millions of people are, but in case you’re not one of them, Fortnite is a computer game from Epic Games, in which players co-operate in gangs to save the world following a zombie-style apocalypse that has already snuffed out 98% of the population.

There’s plenty of parachuting, shooting, grenade launching, things exploding, creatures dying and all the usual stuff that makes games exciting for adults and children alike.

(Amusingly, or perhaps ironically, the number of players in real life is fairly close to the number of non-zombie humans that would be left alive if the game were true.)

Sadly for Fortnite fans around the world, the one popular platform that doesn’t support it is Android – you can get it for Windows, macOS, various gaming consoles and even for iOS, but not yet for Android.

A release of Fortnite for Android is both imminent – some time in “summer 2018”, apparently – and eagerly awaited, with some media outlets talking buoyantly about it as though it’s already there.

Today’s Daily Express in the UK, for example, published a story headlined Fortnite Android release news as stunning new Epic Games Mobile update is revealed, which doesn’t actually say that the game has been released, but certainly makes it sound as though it were available right now.

You can guess where this is going.

Scammers, flimflammers and cybercrooks love it when there’s a rush of interest for a forthcoming product that everyone is desperate to download, because they can rush in to fill the gap with malware.

And the interest in Fortnite for Android is huge, as you can tell with a quick experiment on Google Play.

Go into the search box, hit the letter F, and see what pops up at the top of the as-you-type-it list:

You next thought, when you realise that there isn’t an official release yet, might be to wonder if there’s a pre-release version – after all, the Express headline trumpeted “mobile update revealed,” as though some lucky early adopters might already have access to the app.

And where an app is in limited circulation under a non-disclosure agreement (NDA) or on embargo, there’s always a chance that someone has decided to break the embargo or dishonour the NDA, or that someone has somehow created a hacked version that can be played right away.

Next stop, then, might be YouTube, in case there’s a how-to video…

…and, sadly, you’ll find zillions of the darn things on YouTube, with the search term F once again bringing Fortnite straight to to the top of the list:

When I searched for the full text Fortnite Android, the top three videos tried to draw me in by:

  • Telling me that app’s in the Play Store. (Lie. It’s not there.)
  • Warning me about a Trojanised update. (Lie. You can’t update a product that’s not out yet.)
  • Giving me an off-market URL to get the app unofficially. (Lie. It’s not “unofficial”, it’s fake.)

Don’t do it, folks!

The very best thing that can happen if you allow yourself to be sucked into downloading a so-called “early release” version is that you’ll end up with a useless or unrelated app instead.

More likely is that you’ll end up with malware.

Here’s one example from security researcher Lukas Stefanko that we checked out, available from a website that was promoted believably enough in one of the many YouTube videos on the subject:

Note how the website even tries to give you technical support by reminding you to go to the Settings page and turn on Android’s non-default option to allow apps from Unknown sources – without this setting enabled, you’d be blocked from installing this malware by Android itself.

If you install and open the app, you’ll see a sneaky dialog offering you an immediate update with a load of conditions that you can apparently [Skip>] if you like:

But it’s a trick, because the [Skip>] button actually only skips the so-called “update” part, and instead signs you up for the “game” you’re running right now, under conditions you’ll only notice if you scroll down to the bottom of the dialog:

The treachery goes on: the app contains code to show you ads, send SMSes to revenue-generating services, and to download a secondary app.

When we tested the fake Fortnite app, the secondary download failed, but SophosLabs tried and ended up with another app installed, called Fortnite Battle Death.

This one was, in fact, a game, but it was no Epic Games product – it was a low-quality first-person shooter game called “Battle Death” (by this time, any pretence of being part of the Fortnite franchise was gone) that quickly froze.

We didn’t investigate further than that – we’d already had to turn off Sophos Mobile Security in the first place to avoid detecting the original app as malware! – because we weren’t under any misapprenhensions that any part of this might be genuine.

You shouldn’t believe anything about this app, either.

What to do?

  • Ignore apps claiming to be Fortnite early releases. Epic Games will release officially when it’s ready; all other “releases” are imposters.
  • Stick to Google Play if you can. Don’t turn on Android’s Allow apps from unknown sources option just because an email or a website tells you to.
  • Keep an eye on your mobile phone account. Watch out for unauthorised charges that might indicate you’re signed up to a premium rate service you didn’t want.
  • Consider blocking access to premium rate services. If you don’t need or want to be able to sign up for third party services via SMS, or to use premium rate numbers, find out from your provider how to block access from your number.
  • Use an anti-virus on your Android. Sophos Mobile Security is 100% free and automatically blocks malicious apps from running and dangerous websites from loading.

And, remember, if it sounds too good to be true…

…it’s false.