Two weeks ago, Epic Games CEO Tim Sweeney confirmed that the Android version of Fortnite, largely seen as the most popular game in the world, would not be available through the Google Play Store. Instead, fans would have to install it from the web. The announcement drew heaps of attention—not least of which came from peddlers of malware.

Fortnite only became broadly available on Android this week. But on August 3, the day of Sweeney’s announcement, WIRED quickly discovered seven sites advertising themselves as Android Fortnite downloads. Analysis from mobile security company Lookout found that each of those sites distributed malware to anyone who fell for the scam.

The finding serves as a caution to Fortnite fans only to download from the official Epic Games site. More importantly, it’s a reminder of the real risks that come with operating outside of the Google Play Store—risks that could end up extending well beyond the battle bus.

Outside the Box

There’s not much complexity as to why Epic Games decided to ditch the Play Store. Google takes 30 percent off the top of every purchase that goes through its official channels. One estimate pegs Fortnite’s daily take on iOS at about $2 million. Yes, $2 million a day. You don’t need advanced calculus to see why Epic wants to skip a tithe if it can.

'If I was a bad guy, I would target the largest pool of victims I could. Fortnite seems to fit that bill.' Dan Wiley, Check Point

On iOS, it can’t. Every app on your iPhone has to route through the App Store, no exceptions. Android’s an open system, though. It’s more permissive. You can dig into your settings—it varies by device, but you’ll generally find it under some combination of “Security” and “Applications”—and allow Chrome or any other app to download whatever you please.

As you might imagine, that’s also where the trouble starts. The Google Play Store is not perfect, but it has aggressive built-in malware protections. The open internet, meanwhile, is a terrible goblin town.

“We have found many examples of apps that have been manipulated to deliver hostile content such as remote access Trojans, banking Trojans, cryptomining software, and other malicious software,” says Dan Wiley, head of incident response at Check Point, another security firm that tracks mobile threats. “The apps look exactly like the real app and, many times, behave just like the official app.”

Which is true of the Fortnite impostors as well. At least to a point.

Long Dark Fortnite of the Soul

Lookout security researchers Adam Bauer and Christoph Hebeisen analyzed software pushed by the seven sites WIRED discovered, each of which claimed to offer the legitimate Fortnite Android app. Many of the sites, which we won’t link to here for obvious reasons, include "Fortnite" in the URL and have convincing enough landing pages featuring imagery from the game.

All of them distribute malware that comes from two distinct families. The first category, which Lookout calls FakeNight, plays videos that look like a Fortnite game-loading screen, then shows a prompt that reads, “Mobile Verification Required.” From there, you’re taken to a browser window and told that if you click enough ads, you’ll get a game code in return. The game code never materializes.