Fake ‘Fortnite’ apps for Android spread adware, cryptojackers and spyware
With all the hype around the wildly popular video game “Fortnite,” it should come as no surprise that people are taking advantage of the excitement to spread malware.
Researchers with cybersecurity company Zscaler have uncovered a slew of Android apps posing as the official “Fortnite” app for Android. The various malicious apps’ capabilities include spyware, cryptojacking and adware, among other things.
“Fortnite,” a multiplayer online battle and survival game, has about 45 million players on Playstation, Xbox, PC, MacOS and iOS. The company behind the game, Epic Games, has said that support for Android devices is “coming within the next few months,” but has not put out an official timeline.
“A version for the Android mobile platform has not been announced, leaving Android users—eager to play this game on their devices—searching for it. Such situations involving popular games always seem to attract malware authors looking to spread their payloads disguised as fake games,” the researchers write.
Zscaler has previously reported on fake “Super Mario” and “Pokémon GO” apps “during the release of the legitimate versions.”
When it comes to fake “Fortnite” apps, one spyware app that Zscaler discovered starts harvesting call logs, missed calls, text messages and contacts upon installation. The app can also send text messages and abuse the victim phone’s accessibility settings to perform certain actions without interaction from the user.
The spyware can also take pictures, delete data, read keystrokes, access the file manager and record audio according to Zscaler. This all comes from an app that convincingly looks like it would be “Fortnite” based on its icon.
The good news is that Zscaler hasn’t seen this app make any connection with its command-and-control servers, where it would supposedly exfiltrate stolen data.
“This may indicate that the spyware is still under development,” the report says.
Another fradulent “Fortnite” app that Zscaler discovered is a cryptocurrency miner. Researchers found the app on the domain androidapk.world, which they say is known for hosting cryptojacking apps. Zscaler says it found Coinhive in the app.
Testing the app, the researchers found that it “significantly raises CPU usage once installed” without any disclaimer that it’s being used to harvest cryptocurrency for the for the malware authors.
Zscaler also found apps posing as “Fortnite” that serve up ads to generate revenue for authors.
Most of the apps that Zscaler found are promoted on various websites where Android apps can be downloaded, not on the official Google Play Store. But in one instance, an app that was found in the store claimed to provide with free “V-Bucks,” a virtual currency used in the actual game to buy various paraphernalia.
Following an apparent “human verification” screen, the app will download other apps and surveys, which, Zscaler says “definitely generates real revenue” for the app author.
Zscaler says the fake V-Bucks app was removed after it notified Android’s security team. But it apparently had more than 5,000 downloads and over 4,000 five-star reviews. The app would prompt users to rate and review it with pre-written comments.
Screenshots Zscaler posted show repetitive Play Store reviews of the app.
That said, apps from the Google Play store are generally safer than ones downloaded from third party websites. Google has said it removed more than 700,000 malicious apps from its store in 2017.
Zscaler says that Android users can protect themselves by only downloading apps from legitimate sources. Users can uncheck a feature that allows their Android phones to download apps from “Unknown Sources.”
“Users should beware of malware authors looking to exploit their desire to play Fortnite on Android,” the Zscaler researchers write.
They’ll just have to wait for the real thing.