Epic Games

Epic Games' battle royale game Fornite has been a runaway hit – swelling to more than 125 million monthly active users in less than a year. The game's success is now, rather inevitably, attracting scammers who are out to make money. The current method of deception is the impending release of Fortnite's Android app and the lure of playing it before it's officially out.

Despite Fornite being released in September 2017, Google's mobile operating system, which has more than two billion devices, is pretty much the last major platform to get the game. Epic has confirmed its official app will be released in the summer of 2018. But in the meantime, unofficial, malware-laden versions are spreading across the internet and there's not much Google can do to stop people from installing them on Android devices.


"There are several videos on YouTube with links claiming to be versions of Fortnite for Android," Nathan Collier, a mobile researcher at security firm Malwarebtyes says in a blogpost analysing knock-offs of Epic's creation.

These are the best games of 2018 Gaming These are the best games of 2018

Read next PS5 v Xbox Series X: which has the best features, games and price? PS5 v Xbox Series X: which has the best features, games and price?

The YouTube links followed by Collier – found by searching "How to install Fortnite on Android" – point to apps that aren't on the official Google Play Store but are hosted externally as Application Package Kit (APK) files, which can be installed on Android devices. "It’s a simple program that comes in two different package names," Collier says. The app's icon is an image, Epic Games' logo is used and the loading screen is the same as Fortnite's iOS app. At a first glance, it could be genuine.

Once the app is opened it then prompts those who have downloaded it that updates are needed. Trying to install these updates requires a person to "verify" they're human by installing another app – this time from the legitimate Google Play Store. Users are directed there via a website that makes its developers money by getting people to download Android apps. There never is a version of Fortnite to download.


Lukas Stefanko, a malware researcher at ESET, spotted the APK downloads being pushed through YouTube videos earlier in June. On Twitter he said the videos have had millions of views and "mostly generate revenue for developers". One such app had 40 lines of code for Fornite video footage and no gameplay, Stefanko says.

In order to see this embed, you must give consent to Social Media cookies. Open my cookie preferences. Millions of views on YouTube for fake "How to install Fortnite on Android" videos including links to actual APK files.

Don't install #Fortnite for Android, it's all fake or malicious! Official app is not released yet.

They mostly generate revenue for developers. pic.twitter.com/xpDcqbs3G2 — Lukas Stefanko (@LukasStefanko) June 12, 2018

The apps don't need any technical sophistication to be successful. Google's anti-malware systems can scan devices for malicious files but faked apps can often spread through the popularity of their subjects.

Read next Super Mario 3D All-Stars does the unthinkable: it messes up Mario 64 Super Mario 3D All-Stars does the unthinkable: it messes up Mario 64

"Fake apps spread by social engineering, such as by enticing users with the possibility of playing a popular game," says Vaibhav Rastogi, a computer science research associate at the University of Wisconsin-Madison. "The vulnerability exploited here is not in the computer system but in the human."


Yanick Fratantonio, an assistant professor at French research center Eurecom, says the Fortnite apps and other similar attempts must be working. "These guys are not looking for popularity, they are looking for direct (or indirect) monetary reward," he says. "They would just move on if these endeavours were not profitable."

There isn't a huge amount that Google can do to stop social engineering, especially when it happens outside the Play Store with APK files or from other Android app markets. There are plenty of alternative places to download Android apps from but Google's own service is considered to be the most secure. "In Google's defence, these kind of fake apps are particularly tough to catch," says Collier.

"The apps are very basic and usually contain a couple of realistic-looking splash screens along with a simple redirect to a website," he adds. "However, on further analysis of what is being claimed by the website and fake app, there is obviously malicious intent. This is hard to see without human intervention."

Google has had issues detecting malware within the Play Store (originally called Android Market) since it launched in 2008. In 2011 the botnet-style piece of malware called DroidDream, which automatically downloaded other malicious apps, spread through the Android Market. In 2017, malware dubbed Grabos was found in more than 140 Android apps.

Read next Xbox Series S vs PS5: does the cheapest console always win? Xbox Series S vs PS5: does the cheapest console always win?

Google's new login feature locks down accounts like never before Security Google's new login feature locks down accounts like never before

Last year, Google expanded its Play Protect security system to Android phones and tablets. Google says the malware detection system uses machine learning to scan more than 50 billion apps each day. "Google created an automated app risk analyzer that performs static and dynamic analysis of APKs to detect potentially harmful app behaviour," Google wrote in its annual Android security review. "If the risk analyser discovers something suspicious, it sends the offending app to a team of security experts for manual review."

"My perception is that it's getting better," Fratantonio says. Google says Play Protect doesn't just check apps installed from its own Play Store. If a person installs an app from a third-party market or directly from an APK file Play Protect "checks your device for potentially harmful apps from other sources".

"It warns you about any detected potentially harmful apps found, and removes known harmful apps from your device," the company says in support documents.


But there has also been issues with faked apps proving popular inside the Play Store. In November 2017, it was discovered an unofficial version of Facebook's WhatsApp was downloaded one million times. The app carried a similar developer code to the official version and once installed used a blank icon to be hidden from users' screens.

"While it might be possible to build better algorithms to try to detect suspicious entries – such as similarity to existing app listings or developer names – to avoid obvious and brazen attempts to clone app listings, this would not be fool-proof," says Greig Paul, a computer science research engineer at the University of Strathclyde.

It also shouldn't be surprising that wildly popular internet culture attracts scammers – replies to the tweets of Tesla CEO Elon Musk have seen fake accounts pretending to be the billionaire trying to push cryptocurrency scam. Collier recommends gamers looking to get ahead of the official Fortnite release for Android be patient. They should wait until there's an official version, with the developer listed as Epic Games, on the Google Play Store.