android trojan Reading Time: 4 minutes

If you’re into gaming, you’ve probably heard of Fortnite: Battle Royale. Epic Games’ popular new online title debuted on consoles and PCs in September 2017, on iOS this April, and finally on Android for a handful of device models (Samsung Galaxy S7 / S7 Edge , S8 / S8+, S9 / S9+, Note 8, Note 9, Tab S3, and Tab S4) on August 9th. Unlike iOS, users can side-step the Android Google Play portal and sideload un-curated apps without needing to jailbreak the device or performing other unsanctioned activities. For Android, sideloading involves installing an from outside of the official Android package repository.. Epic took full advantage of that openness in the Android platform as a way to avoid letting Google take a 30% cut of their sales by distributing the game through their own website instead.

Android Trojans

If you want to install Fortnite: Battle Royale on your Android device, I urge you to go to fortnite.com/android. That URL will redirect you to a different page on https://www.epicgames.com depending on your geography. If you find Fortnite for Android hosted somewhere else, it’s probably trojan malware. At least seven phishing sites have appeared in recent days for the sole purpose of distributing fake Fortnite game Android trojans. By downloading one, you’ll almost certainly end up seriously compromising the security of your Android device and its data, rather than enjoying a fun and legitimate game app. Some of the phishing sites even go to the effort of spoofing the UI of the Google Play Store.

google play store

Some cybersecurity professionals think that Epic’s decision to distribute their Android game themselves rather than through the curated Google Play Store is a terrible idea. Falanx Group’s Rob Shapland said

“Epic Games’ decision to publish the Android version of Fortnite outside of the Play Store is a very poor choice for the security of their players. Android devices are already far more susceptible to malware than Apple devices, with the greatest protection being to always download apps from the Play Store as these apps are screened for malware, which prevents most malicious apps from being installed. By encouraging users to download Fortnite outside of the Play Store, Epic Games leave their players vulnerable to malicious copycat apps being installed accidentally if they go to the wrong site. (Epic Games’s decision) normalises the behavior of downloading apps from outside of Play Store, which can only lead to more malicious apps being installed in the long term.”

Side-loading outside of Google Play isn’t the first major malware problem that’s associated with Fortnite. In June, 2018, Rainway, online gaming platform Rainway noticed a major cyber-attack that targeted the Windows version of Fortnite. Sometimes gamers like to cheat and freeload; YouTube videos have appeared claiming to show people how to acquire free “V-Bucks” (Fortnite’s in-game currency) and an “aimbot” which is supposed to make it easier for players to shoot their enemies. If an offer like this sounds too good to be true, it probably is!

Rainway CEO Andrew Sampson wrote

“On the early morning of June 26th, we began receiving hundreds of thousands of error reports to our tracker. Not feeling very excited to see such an influx of events on a Tuesday the engineering team was a bit flustered, after all, we hadn’t released any updates to that particular piece of our solution.

It became pretty clear soon after that this new flood of errors was not caused by something we did, but by something someone was trying to do.

These are attempts to call various ad platforms; the first thing we should note is Rainway does not have ads on it which was an immediate red flag. The first URL, in particular, is JavaScript which is attempting to act and running into an error, triggering our logging. For security and privacy reasons we’ve always whitelisted URLs and the scope of what they can do from within Rainway — it seems now it has the unintended side effect of shining a light on a much broader issue…”

Rainway’s team eventually traced the odd traffic to Fortnite cheating trojans that facilitated HTTPS man-in-the-middle attacks!

“We then spun up a virtual machine and ran the hack, it immediately installed a root certificate on the device and changed Windows to proxy all web traffic through itself. A successful Man in the Middle Attack.

Now, the adware began altering the pages of all web request to add in tags for Adtelligent and voila, we’ve found the source of the problem — now what?

We began by sending an abuse report to the file host, and the download was removed promptly, this was after accumulating over 78,000 downloads. We also reached out to Adtelligent to report the keys linked to the URLs. We have not received a response at this time. SpringServe quickly worked with us to identify the abusive creatives and remove them from their platform.”

If you ever want to download any video game or DLC from outside the official platform store (for example, for PS4, the Sony PlayStation Store where each application is curated, signed and packaged), make sure you do so from the game developer’s official website. If you’re not confident about the site being the developer’s own, don’t take the risk. Err on the side of caution by not downloading in the first place.

I hope that, as Epic ports Fortnite to more Android devices in the future, they change their mind and switch distribution to the Google Play Store. But with mobile software as with Pandora’s (loot) box, once opened, it’s almost impossible to close..

Fortnite trojans reflect a malware trend that Comodo research has observed lately, specifically pertaining to Android. Read more about the rise of Android trojans of all kinds in the latest Comodo Global Threat Report for Q2 2018

Internet Security Program

Free Website Monitoring Software

Related Resource:

Remote Access Software

START FREE TRIAL GET YOUR INSTANT SECURITY SCORECARD FOR FREE