Almost every day I get emails from cyber security companies, proferring up their hacker wizards to comment on everything from Valentine's Day to smart speakers. This week a single topic dominates, however, and is getting the analysts all in a tizzy. It's the game of the moment, Fortnite, and specifically the yet-to-be-released Android version.
Fortnite is currently available on iOS, and an Android version of the megasmash is expected this summer. But it doesn't exist outside of developer Epic's studio yet. And scammers have seized upon this absence to try and fool folk into downloading all sorts of nasty gubbins on their phones. Essentially a user googling or youtubing a phrase such as 'Fortnite for Android' lands on pages that prompt them to download various apps on their phone, under the pretence they'll eventually get access to a 'leak' or 'beta' version of the Android port. Some of the apps mimic Fortnite in a sophisticated way, while others will play a video of the game, and most use 'legitimate' game assets to try and pass.
Of course, none of them are Fortnite for Android.
Earlier this week Hacker News reported on the scams, which inspired Nathan Collier, a senior malware intelligence analyst for Malwarebytes, to start installing some of these apps to see what they do. One of the apps he downloads is shockingly sophisticated, cloning Fortnite's icon, startup splash screens, and loading screen, before making the user download another app.
“The scheme goes like this: get a couple of over-excited people salivating for a chance to play Fortnite on Android, and get paid,” says Collier. “The more downloads that come from the website, the more money the malware developers can make.”
So the more apps a user installs, the more money the scumbags behind these schemes make. If a user doesn't wise up quickly, they'll find themselves installing dozens in the vain hopes of getting Fortnite, and lord only knows what's in some of those. Just because no-one's found a really malicious example yet doesn't mean it's not out there.
The real weakness here, as security analysts love to point out, is not necessarily Android so much as our fat, fleshy brains. Scams work because they're playing with psychology as much as programming.
“Any form of social engineering is successful because it's designed around human nature," says Steve Giguere, lead EMEA engineer at Synopsys. "There's no shame in being caught out by schemes or scams like these, but we need to learn that where we exhibit human weakness, the cyber-criminal will be present looking to take advantage to turn our nature against us. As attacks like these become more common place, awareness will inevitably follow; but until then, ensure you are running a modern endpoint security program and remember that if you if it looks too good to be true, don't take the bait. It's called phishing for a reason.”
James Hadley, CEO and Founder of Immersive Labs, added “Fortnite’s popularity, driven by gamers including the England football team, means there is an opportunity for cyber criminals to take advantage of the demand for the game and the latest releases. In life, if something seems too good to be true, it usually is just that; and cyber is no different. Cyber criminals rely on the draw of a new, exciting or trendy app outweighing the perceived negatives; in this case, getting an early release of Fortnite on Android for downloading another app. As a society, we need to get better at our general cyber awareness, weighing up the costs of how badly we need play the latest games vs potentially exposing ourselves to malicious apps.”
For any further commentary, or to speak with Steve or James, please do get in touch.