Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Fortnite mobile app: Android download links in APK tutorials found to contain malware

An official Fortnite Android app is expected to launch on Google Play in the summer

Anthony Cuthbertson
Monday 25 June 2018 09:25 BST
Fake Fortnite mobile apps are appearing online in searches for 'How to install Fortnite'
Fake Fortnite mobile apps are appearing online in searches for 'How to install Fortnite' (Fortnite)

The popular video game Fortnite is set to launch an Android app later this summer and online video tutorials which purportedly explain how to download the mobile game are already appearing online.

Fortnite is already available on the Xbox One, Playstation 4, Nintendo Switch, PC, Mac and iOS – leaving Android the last major platform not to be supported.

The popular game – described by its creators as a cross between Minecraft and Left 4 Dead – already has more than 45 million players, despite launching less than a year ago.

This popularity, combined with the anticipation for an Android version, has resulted in cyber criminals attempting to capitalise on people’s eagerness by creating fake versions that contain malware.

Read More: Compare providers and find the best deals with our Mobile Phone Deals page

Lukas Stefanko, a malware researcher at IT security firm ESET, found one version containing a Trojan SMS – a type of malware that secretly runs in the background that enables cyber criminals to send text messages from the infected device to premium rate phone numbers.

“There are dozens of YouTube videos with millions of views leading users to fake ad generating revenue,” Mr Stefanko told The Independent.

“The risks are high because people believe and download whatever app they find in the description under YouTube videos. In one case, I found Trojan-SMS, but there could be ransomware, banking malware or spying software.”

Other security researchers have previously noted fake Fortnite apps contain spyware, which is capable of harvesting people’s data and wiping a device of its data.

“Users should beware of malware authors looking to exploit their desire to play Fortnite on Android,” researchers at cyber security firm Zscaler said in May.

“We urge users to download games only from authorised and legitimate sources, such as Google Play.”

Many of the links to the fake apps appear in the descriptions of the YouTube videos claiming to offer ways to download Fortnite through Android Package Kits (APK) which circumvent the Google Play app store.

Nathan Collier, a security researcher at Malwarebytes, noted the proliferation of the videos on YouTube.

“Every time there is craze around a new video game release, consequently we see malware authors jumping into the game,” he said in a blog post this week.

Fortnite now on Nintendo Switch trailer

Epic Games has not acknowledged the issues but Google, the company behind the Android operating system, told The Independent it is removing videos which promote scams.

“Our Community Guidelines prohibit spam, scams, and other deceptive practices and we remove these video when we are made aware of them,” the spokesperson for YouTube said.

“We are committed to removing spam quickly, in many cases, preventing it from ever being viewed by users, while also making sure that we do not harm legitimate creators.”

According to Mr Stefanko, only the Fortnite game is being used by cyber criminals to take advantage of unsuspecting web users due to its popularity.

“It is unique right now for Fortnite because of the hype around this popular game and the anticipation of an official announcement of a legitimate app,” he said.

“I’m not sure what Google or Epic Games can do about it. I guess there’s not much they can do, beyond spreading awareness.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in