Security experts are dismayed after the makers of extremely popular video game Fortnite said its Android version of the game will only be available for download via the company’s website, shirking the Google Play store.
Last week, Fortnite creator Epic Games confirmed that it will directly distribute its game through its website, bypassing Google Play for the Android launch of the game. The company said that the move would help Epic Games avoid the 30 percent revenue share that Google would collect for hosting the game title in its store.
However, security experts stress that there are significant security downsides with encouraging millions of users to install a third-party app outside of an official app store – particularly as fake Fortnite apps have cropped up as a way for bad actors to launch scams and distribute malware.
“I think it’s a shame because this marketplace can do a lot in terms of security by protecting the end users through automated code reviews,” Ben Herzberg, director of threat research at Imperva, told Threatpost. “It would make it easier for people to try to get people to install fake Fortnite applications, but also the minute that people are told to download the apps from another place, people become used to doing things that aren’t healthy for them.”
Fortnite has shot up in popularity, with new market data showing that the mobile app has recently surpassed 100 million downloads. The game is currently available on the iOS App Store.
Epic Games CEO Tim Sweeney said the reason for offering direct download is financial, telling The Verge in a statement: “The 30 percent store tax is a high cost in a world where game developers’ 70 percent must cover all the cost of developing, operating, and supporting their games. There’s a rationale for this on console where there’s enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”
While that 30 percent cut is a financial burden, according to Epic Games, installation downloads that aren’t on the Google Play market won’t include security prompts from Google or waiving protections in Android settings. Importantly these security measures include a tab that notifies users if the app they are downloading comes from “unknown sources.”
Sweeney, for his part, said in a tweet that a “download” button will exist on Android Oreo devices to install the game following “several security prompts.”
A "download" button is coming to https://t.co/8upfAAOWZE. On the latest Android Oreo devices, this goes directly to a download link which installs the game following user acceptance of several security prompts – no "unknown sources" involved.
— Tim Sweeney (@TimSweeneyEpic) August 3, 2018
However, that is still concerning when it comes to security given that only 12 percent of Android phones are running on the latest version, according to Google.
“I can understand Epic Games feeling mightily miffed that Google tries to take a 30% cut from any sales in its online store, but encouraging Android users to download apps from non-official sources is not a good idea,” Graham Cluley said in a Monday post.
Despite these measures, marketplaces like Google Play also run a code analysis that verifies whether applications are malicious, and will take steps in removing malicious apps.
“The most important other thing is that once malicious apps are on the market, if they get caught, there’s no escaping, they will be kicked off,” said Herzberg. “There’s been some cases where they distribute something through the marketplace and get kicked out.”
Fortnite has millions of players, making it one of the most popular games currently on the market – and also an easy target for scammers looking to make money off users. Most recently, scammers have tempted gamers by promising them free in-game currency (Fortnite V-Bucks), when in reality, the gamers are not getting anything. Scammers on the other hand are getting paid for different “pay-per-lead” actions done by the gamers.
In May, ThreatLabZ researchers said that they observed Android spyware, cryptomining malware and a scam app claiming to help players earn free V-bucks. The latter was actually found in Google Play, a Zscaler spokesperson told Threatpost, but the remaining were found on third-party app stores.
In another popular scam bad actors release YouTube videos with links to scam versions of the game. Once a faux version is installed, it asks for more downloads, one after another – and the scammers make a commission on each download. The scam apps can also spread malware.
“Google’s policing of the official Android marketplace has often fallen short, but there is no doubt that installing apps from unofficial sources exposes your Android device to greater risks,” Cluley said.
Moving forward, Herzberg said that Android users should be wary when installing any mobile app – particularly of games installed via advertisements.
“I wouldn’t suggest not downloading Fortnite,” he said. “I would make sure to only download from their direct website.”