Fake Fortnite apps target Android gamers

By

Popularity of the free-to-play shooter game Fortnite has been nothing less than a phenomenon. The number of Fortnite players as of June 2018 is recorded at a staggering 125 million. Fortnite is available on popular platforms – Windows, Mac, Playstation, Xbox and mobile devices. But when we say mobile devices, in this case, we mean Apple devices. Yes, Fortnite is currently not available for Android as shown on both Google Playstore and the official Epic website below:

However according to uploaders on Youtube, Fortnite can be installed on Android devices just fine:

SonicWall Threats Research Team observed a number of fake Fortnite apps that claim to be Fortnite for Android but end up fooling the victims into installing third party apps for the benefit of the scammers.

We highlight few popular scams in circulation right now that use Fortnite as their cash cow:

Scam I: Get verified

This scam is probably the most popular one right now that involves Youtube. There have been a flurry of videos that claim to show instructions to install and run Fortnite on Android. The scam works as follows:

  • Step I: Youtubers create videos showing how they can download, install and play Fortnite on Android devices. They add a link in their videos from where the fake Fortnite apps can be downloaded:

<

  • Step II: After installing the app and running it the victim is greeted with logos, images and videos which are copied straight from the official game. This is very critical as it cements the victim’s belief that this app may actually be real:
  • Step III: The victim is informed that some sort of mobile verification is needed before the game can be played:
  • Step IV: On clicking “OK” a link opens where the victim is asked to install an app. The link and app changes based on the scam but a legitimately clean app (which is usually available on Google Play) is asked to be installed on the device. The victim installs this app with the belief that after this step he will be able to play Fortnite.
  • Step V: When the victim returns back to the fake app, all he gets is an empty screen and is left wondering if he did something wrong. Most of the victims may try the previous step once more to try and “rectify” what they did wrong or they may try a different Youtube video thereby propagating the scam.

Scam II: App update

The initial step of this scam are similar to the one described above (Step I). The difference is what happens once the fake app runs on the device.

  • Step II: Once the app runs it displays a screen stating that an update is needed, however shady terms are listed at the bottom where a user needs to scroll down.
  • Step III: Both update and skip buttons move us forward and we begin seeing advertisements, also an update gets downloaded in the background:
  • Step IV: Just like the previous scam, a legitimate app gets installed on the device:

In our case the fake Fortnite app installed Fortnite Battle Death but in reality it installed a legitimate game called Battle Death Combat:

But where is Fortnite ?? Anywhere but here…

Scam III: V-Bucks

V-Bucks are virtual in-game currency which can be used to purchase customization for a player character. These can be purchased online at legitimate places but in V-Bucks scammers saw an avenue for spreading their malicious schemes. The Playstore is littered with apps that promise free V-Bucks but are just another scam:

One such app entices the user to do something for the author/creator in exchange of V-Bucks, for instance follow a certain Twitch channel. But after doing so just displays a congratulatory message:

Another V-Bucks app has a little more depth. It requests for the Fortnite username of the user and puts up a show wherein fake V-Bucks are “calculated”:

The next screen asks the user to rate the current app and then claim the V-Bucks.  When the user tries to claim the reward he is just transferred to either a survey scam or a website that tries to fish for emails or phone numbers. Either way this part of the scam is interested in the user’s data:

Although not malicious (as of now) these apps certainly trick users and seep sensitive data from them.

Scam IV – Droidjack

These are straight-up malicious apps that are disguised as Fortnite apps. They show no pretense whatsoever and contain malicious code that infects the device. Currently, we observed Droidjack infested apps – which has been covered earlier in our blogs.

We can expect other malicious apps to trojanize themselves as Fortnite in the near future.

Notable mention – Fortnite guides and tips

These are apps that contain few pages of tips and tricks for Fortnite, they may contain ads but are generally not malicious. Their sole purpose is to get installs from the users:

Why Fortnite?

The main reason for using Fortnite is its popularity – Scammers and malware writers constantly target trending apps as their cover for spreading malicious apps. Another reason is that Fortnite is not available on Android at the moment but its available for Apple devices. This creates a void for Android users which leads some eager gamers to try alternative routes thereby committing the mistake of installing apps from untrustworthy sources.

What do they gain from these scams?

Different scams serve different purpose, here are a few insights:

  • Verification related scams – These scams require the victims to install specific legitimate apps, when these apps are downloaded it gives the referrers (the scammers in this case) money. Its a win-win for both scammers and app developers
  • The role of Youtubers – A lot of these scams are spreading via download links mentioned in YouTube video descriptions. App developers or companies offer Youtubers monetary benefits to promote their apps. A popular Youtuber can easily reach their audience with videos as YouTube is easily accessible these days
  • V-Bucks scams – These apps usually demand the victims to rate the apps as one of the steps in earning V-Bucks. As a result these apps have been rated highly by a large number of users:

However as time passes and the realization of the scam sets in, many users have given it a negative rating:

  • DroidJack is one example where the app is completely malicious by nature without showing any pretense. We can expect more malicious apps that use Fortnite logo, name and images

Who are the likely targets?

  • In case of the current Fortnite scams the prime targets are Android gamers as Fortnite is available on other platforms leaving Android gamers waiting for the official app. The long wait causes some people to take desperate measures and search for alternate ways to install Fortnite
  • Some of the scams require the victims to perform a certain task – that may be install other apps, run a particular app for a specified time – in exchange of virtual currency. This needs sufficient time and the motivation to earn virtual currency – younger gamers fit this description in most cases. Mobile phones are very accessible these days and younger users may not have the money to buy virtual currency by themselves and they may not be too eager to research about these apps, the need for instant gratification takes over and they fall victim to such scams
Scammers and malware writers will continue to use popular and trending topics as a cover to hide their apps. It is best to stay informed and practice safe browsing habits to stay away from such scams. We urge our users to install official apps only from the Google Play store and be informed about what apps are available for which platforms.

Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • AndroidOS.Fortnite.AN
  • AndroidOS.DroidJack.MA_2

Appendix

The following are a few websites which host fake Fortnite apk’s. These are commonly present in the description of YouTube videos:

  • Domain – hxxps://fortnitemobile.club/
  • App link – hxxps://fortnitemobile.club/img/Fortnite%20Android.apk
  • Domain – hxxp://fortniteapk.fun
  • App link – hxxps://fortniteapk.fun/Fortnite.v4.0.Patch.Android.apk

The following are a few Fortnite apps containing the “get verified” scam:

  • 1f85475a71a1f0c08719fa76ac022307
  • 7a49c43612e09c7603b83ae5deedf618

The following are a few Fortnite apps with DroidJack component:

  • 62accd897ce6408ad8fb14eda9d21d0b
  • c11552a4b5d4caa8eef6662393b8938a

The following are a few Fortnite apps with “V-Bucks” scam:

  • 93f21cb14377e384b81beac6697fe380
  • 84a7042d86680e6c66cfd7472636eb86

The following are a few Fortnite guide/maps apps:

  • 91375ac120845b1ecb0f729fed1523dc
  • ca60539ef3c629036708b7aa5c05b486

Few interesting observations:

  • There are a large number of apps with the package name com.anizz14, a number of these apps are set to masquerade other popular apps:

  • DroidJack component has been added in a number of apps that masquerade other popular apps, we have already covered an instance where this component was added in an app meant to look like SuperMario for Android:

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.