Fake Fortnite App Creates Mobile Cybersecurity Threat

Samuel Bakken, July 10, 2018
Fake Fortnite

Earlier this month IT news organizations around the globe reported that Epic Games’ popular Fortnite app game was being counterfeited and malicious actors were, in fact, lacing the imposter apps with malware.

We’re only human, and people unwittingly let their guard down in anticipation of something they're passionate about, or when they think they might be getting a bargain or exclusive access to something before everyone else. In the end, if something seems too good to be true—an advanced copy of a popular game via unofficial channels before it's available to the public for instance—it probably is.

iOS Fortnite App and Taking Advantage of Holes in the Market

As mentioned in App Developer Magazine, Fortnite has a massive fan following. They have created a frenzy of excitement by moving their extremely popular online shooter game to iOS mobile devices in the form of a Fortnite app. Of course, Android users don’t like being left behind and attackers see the hole in the Android market as an opportunity to target users trying to get in on the action.

This has led to an influx of fake Android apps that are hoodwinking users. In this latest case, users download these imposter apps hoping to join in on the Fortnite fun, but instead, they are asked to download a bunch of apps in order to unlock the game and are never actually granted access. Earlier in May, security researchers identified a number of Fortnite imposter apps for Android that actually accessed device cameras, harvested personal information, recorded audio, or mined cryptocurrency. Unfortunately, imposter apps are a serious risk that people, especially those of us who have trouble delaying gratification, must be wary of when it comes to mobile apps we use, (or really want to use) each day.

Hackers like to take advantage when real applications have not been released yet, or when a new feature is expected to be released but has not quite made it to the market. In general, users should avoid downloading apps from any place other than official stores. Third-party app stores don’t usually apply the same scrutiny to the apps they publish as the Apple App Store or Google Play Store will. And even still, there are cases of malicious apps making it onto the official app stores too.

The Fortnite App Lesson for App Developers

There is also a lesson here for app developers, who should protect their apps and their users against repackaging schemes similar to this recent fake Fortnite app debacle. Repackaging is the act of an attacker taking a legit app from the app stores, injecting malicious code into it, and then publishing that repackaged, counterfeit app on an app store.

Fortunately, the situation isn’t hopeless. App shielding technology can detect when an Android or iOS app has been repackaged and prohibit it from executing and compromising a user. Among other defenses, app shielding can also prevent attackers from injecting malicious code into an app as it runs and protects against an attacker reverse-engineering an app to find exploitable vulnerabilities in the app. And perhaps best of all, some app shielding technology can fortify an app post-coding with little to no effort from the development team.

App shielding and hardening add security functionality directly to mobile apps (again in some cases through intuitive portals that don’t require mobile development expertise) for the detection and prevention of application-level intrusions by:

  • Proactively shielding applications from malware
  • Controlling execution and preventing real-time attacks
  • Protecting mobile apps to ensure data and transactions are not compromised
  • Maintaining a mobile app’s runtime integrity, even if a user inadvertently downloads malware onto their device

Developers sometimes view security as yet another obstacle to surmount in the face of the ceaseless demand for more features more quickly. App shielding makes security relatively easy for developers and a great opportunity to protect the fruits of their labor and their users. App shielding is only one part of a complete app security program, but it makes mobile app security easier and more efficient so that developers can focus on creating an optimal user experience while also accelerating time-to-market.

The following article, authored by Sam Bakken, a Senior Product Marketing Manager with OneSpan, first appeared 7/05/18 on App Developer Magazine with the original title “Avoid Mobile Cybersecurity Threats by Checking the Source”. 

Sam is Senior Product Marketing Manager responsible for the OneSpan mobile app security portfolio and has nearly 10 years of experience in information security.