As Fortnite fans await its mobile debut on Android, YouTube videos have been detected claiming to contain downloads for the game.
After various tutorial videos were discovered, research by Malwarebytes into the videos found that tutorial apps were not in the Google Play store, but users found links in YouTube’s sponsored adverts which appear legitimate, and feature the Epic Games logo.
Nathan Collier, senior malware intelligence analyst at Malwarebytes, found that upon downloading and opening the app it plays the Fortnite intro song and requests updates to be downloaded, before requesting mobile verification from the user.
“There, it claims to be for the purpose of verifying 'You’r Not A BOT' (bad grammar and all) in order to proceed to Fortnite,” Collier said. “To ‘verify’ the user must complete a task, which involves downloading another ‘free’ app.”
This directs to Google Play, but Collier said no matter how many apps you download, the game never unlocks, because it never existed within the malicious app in the first place.
He said: “The more downloads that come from the website, the more money the malware developers can make. With the app being so simplistic, the amount of development effort is pretty low for the amount that could be potentially gained.”
James Hadley, CEO and founder of Immersive Labs, said: “Fortnite’s popularity, driven by gamers including the England football team, means there is an opportunity for cyber-criminals to take advantage of the demand for the game and the latest releases.
“In life, if something seems too good to be true, it usually is just that; and cyber is no different. Cyber-criminals rely on the draw of a new, exciting or trendy app outweighing the perceived negatives; in this case, getting an early release of Fortnite on Android for downloading another app.”
Javvad Malik, security advocate at AlienVault, said that ongoing user awareness is essential to ensure users are savvy to the risks that can affect them, and defenses to stop such malware making its way into app stores, or running on devices, needs to be continually improved.
Steve Giguere, lead EMEA engineer at Synopsys, added: “There's no shame in being caught out by schemes or scams like these, but we need to learn that where we exhibit human weakness, the cyber-criminal will be present looking to take advantage to turn our nature against us.
“As attacks like these become more common place, awareness will inevitably follow; but until then, ensure you are running a modern endpoint security program and remember that if you think it looks too good to be true, don't take the bait - it's called phishing for a reason.”