Fake Fortnite installers in Android extends malware in global campaign

Share this…

It was detected a campaign that spreads fake Fortnite games for Android that leads to malware infections

Fortnite is one of the most popular videogames at this time, so it has attracted the attention of both players and malicious users. Two weeks ago, the CEO of Epic Games stated that the game would not be available in the Google Play Store repository. This resulted in the download of the APK (installation file) from the vendor’s download sites. According to cyber security organization experts, such a situation has been exploited by groups of hackers to take advantage of users.

As soon as the game was officially launched, numerous download sites appeared trying to impersonate the legitimate site, to do so, the sites copied the designs from the original page. The fact that the app is not distributed on Google Play means that the malware protection scan would not start. Google can automatically detect some malicious copies and delete them, when an app is distributed outside the Play Store it is much more difficult to distinguish the actual development of the fake.

However, cyber security organization experts have identified some warning signs to identify a fake Fortnite installer:

  • The string “Fortnite” is included in the URL, but does not contain the name Epic Games or other names that form part of the official site of the vendor.
  • Hackers behind fake apps use the same web design elements, and startup pages to build compellingly-looking sites.
  • In some cases a complex network of redirect links can be built. Links to fake pages can be distributed in game forums, communities, social networks, etc.

Malware found in fake Fortnite installers for Android

The collected samples can be grouped into versions from two different families. The first group is known as “FakeNight”, which starts a Fortnite load screen as soon as the fake game starts. Then, a notification is showed to the user displaying the message “Mobile verification is required”. It is redirected to a browser that tells the user to click on the ads; in return, game codes are promised to the victim. Interaction with the threat will not return any benefit.

The second malware variant, known as “WeakSignal”, displays a series of ads on the user’s screen followed by a message that reports a weak WiFi signal. Ads are continuously presented to users.

According to cyber security organization experts from the International Institute of Cyber Security both variants of malware are delivery mechanisms for self-called “click farms”, utility software used by hackers to monetize advertising revenues.