Gaming giant Epic Games has inadvertently created new security risks as an unknown numbers of Android users have download malware-infested knockoffs of its hugely popular game Fortnite.
The revelations came on the heels of confirmation that Epic had decided to keep the Android version of its game – a runaway success that grew from 1 million to 125 million users in its first year – off of Google Play, the official app store for Android devices.
Instead, users of the Android version of Fortnite, which is currently in beta, must download an .APK installer file directly from the Epic Games website or Samsung website, then use that to install the game on their device.
Apps on the Google Play store are actively scanned for malware and curated over time to ensure smooth upgrades, with the Google Play Protect malware-scanning feature leveraging artificial intelligence algorithms to improve scanning in real time.
Bypassing Google Play requires users to explicitly enable the installation of apps from Unknown sources – an option that is turned off by default to protect users from malicious files they may have downloaded.
In this case, however, the opposite situation has rapidly evolved as scammers took note of the announcement and instead populated the Google Play store with ripoff versions of Fortnite that are loaded with malware.
At least seven different fake versions of Fortnite were identified on Google Play, with each claiming to be from an authorised Epic Games distributor but each including malware that would compromise the devices of anyone who installed them.
The situation got even worse when Google researchers recently revealed that a serious vulnerability in Epic Games’ installer would allow the execution of any program in place of the installer itself.
Google and Epic Games worked together to fix the issue within 48 hours, and an updated installer program was quickly made available for users to update with a single tap.
Profit-minded devs meet profit-minded crims
Android developers generally cite security concerns in steering users to the Google Play store, but Epic Games CEO Tim Sweeney said the move was partly due to Epic Games’ efforts to avoid the 30 percent “store tax” that Google imposes on apps sold through Google Play.
“It’s a high cost in a world where game developers’ 70 percent must cover all the cost of developing, operating, and supporting their games,” he told Digital Foundry technology editor Richard Leadbetter. “And it’s disproportionate to the cost of the services these stores perform, such as payment processing, download bandwidth, and customer service.”
Google Play is no stranger to fraudulent apps, with thousands of users regularly getting taken in by advertising scams, malware loaders, and apps that demand broad access to personal information that they don’t need.
Google actively patrols Google Play for miscreants and reportedly took down over 700,000 Android apps in 2017 alone – up 70 percent on the previous year.
Thanks to new analytical models and techniques, the company also banned more than 100,000 developers that it flagged during 2017 for violations of the Google Play terms of service.
Yet not all Google Play fraud involves malware: a recent analysis by Symantec identified 68 fraudulent apps from five developers, all of which contain “aggressive advertisements” that interfere with the user experience by capturing screen real-estate and refusing to give it back.
Developer EpicOmegaApps published 11 different apps in December 2017, each purporting a different function including unlocking a phone’s SIM card and using the phone as a wireless mouse.
The Sim Unlocker app, for example, has been downloaded over 50,000 times – but users will find nothing but a series of ads and dummy screens that, Symantec warns, “despite the detailed descriptions for the apps, provide none of the described functionalities.”
The analysis also calls out developer Pinwheel, which has published at least 40 fraudulent apps that entice users by appropriating the names of popular games and shows including Far Cry 5 (downloaded over 10,000 times) and 13 Reasons Why (more than 1000 times).
Copycat apps are a major focus of Google’s enforcement efforts, and the company took down more than 250,000 such apps during 2017.
Despite active and ongoing fraud campaigns by rogue Android developers, Epic Games’ Sweeney believes Android users are smart enough to avoid the traps placed around Google Play, and the inevitable malware and adware-ridden knockoffs that will inevitably be scattered around the internet.
He said the company would have done the same for its iOS version if it were possible, and dismissed concerns that the move would create security risks for its customers – arguing that “gamers have proven able to adopt safe software practices…. [and] mobile operating systems increasingly provide robust, permissions-based security.”
“In our view, this is the way all computer and smartphone platforms should provide security.”