Fortnite Skips Google Play For Android Apps, Irking Security Experts

Security experts aren’t happy after Fortnite’s creator, Epic Games, announced it would not go through Google Play.

Security experts are dismayed after the makers of extremely popular video game Fortnite said its Android version of the game will only be available for download via the company’s website, shirking the Google Play store.

Last week, Fortnite creator Epic Games confirmed that it will directly distribute its game through its website, bypassing Google Play for the Android launch of the game. The company said that the move would help Epic Games avoid the 30 percent revenue share that Google would collect for hosting the game title in its store.

However, security experts stress that there are significant security downsides with encouraging millions of  users to install a third-party app outside of an official app store – particularly as fake Fortnite apps have cropped up as a way for bad actors to launch scams and distribute malware.

“I think it’s a shame because this marketplace can do a lot in terms of security by protecting the end users through automated code reviews,” Ben Herzberg, director of threat research at Imperva, told Threatpost. “It would make it easier for people to try to get people to install fake Fortnite applications, but also the minute that people are told to download the apps from another place, people become used to doing things that aren’t healthy for them.”

Fortnite has shot up in popularity, with new market data showing that the mobile app has recently surpassed 100 million downloads. The game is currently available on the iOS App Store.

Epic Games CEO Tim Sweeney said the reason for offering direct download is financial, telling The Verge in a statement: “The 30 percent store tax is a high cost in a world where game developers’ 70 percent must cover all the cost of developing, operating, and supporting their games. There’s a rationale for this on console where there’s enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”

While that 30 percent cut is a financial burden, according to Epic Games, installation downloads that aren’t on the Google Play market won’t include security prompts from Google or waiving protections in Android settings. Importantly these security measures include a tab that notifies users if the app they are downloading comes from “unknown sources.”

Sweeney, for his part, said in a tweet that a “download” button will exist on Android Oreo devices to install the game following “several security prompts.”

However, that is still concerning when it comes to security given that only 12 percent of Android phones are running on the latest version, according to Google.

“I can understand Epic Games feeling mightily miffed that Google tries to take a 30% cut from any sales in its online store, but encouraging Android users to download apps from non-official sources is not a good idea,” Graham Cluley said in a Monday post.

Despite these measures, marketplaces like Google Play also run a code analysis that verifies whether applications are malicious, and will take steps in removing malicious apps.

“The most important other thing is that once malicious apps are on the market, if they get caught, there’s no escaping, they will be kicked off,” said Herzberg. “There’s been some cases where they distribute something through the marketplace and get kicked out.”

Fortnite Risks

Fortnite has millions of players, making it one of the most popular games currently on the market – and also an easy target for scammers looking to make money off users. Most recently, scammers have tempted gamers by promising them free in-game currency (Fortnite V-Bucks), when in reality, the gamers are not getting anything. Scammers on the other hand are getting paid for different “pay-per-lead” actions done by the gamers.

In May, ThreatLabZ researchers said that they observed Android spyware, cryptomining malware and a scam app claiming to help players earn free V-bucks. The latter was actually found in Google Play, a Zscaler spokesperson told Threatpost, but the remaining were found on third-party app stores.

In another popular scam bad actors release YouTube videos with links to scam versions of the game. Once a faux version is installed, it asks for more downloads, one after another – and the scammers make a commission on each download. The scam apps can also spread malware.

“Google’s policing of the official Android marketplace has often fallen short, but there is no doubt that installing apps from unofficial sources exposes your Android device to greater risks,” Cluley said.

Moving forward, Herzberg said that Android users should be wary when installing any mobile app – particularly of games installed via advertisements.

“I wouldn’t suggest not downloading Fortnite,” he said. “I would make sure to only download from their direct website.”


Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • zelon88 on

    I support Epic Games. Any researcher who thinks they can have one iota of faith in Google Play is delusional. What those researchers should be doing instead of calling out Epic is calling out Google for strangling competition, gouging developers, and refusing to make it easy for their "open source" platform to be configured any other way by device manufacturers than what Google views as beneficiary. I am disgusted that anyone from the security world would insinuate that we're better off paying Google's code ransom to stay safe than pioneer a way out of this privacy nightmare we find ourselves in. That's the digital equivilent of saying that we should allow the TSA scan your naked body at the airport because it's better to be safe than free.
  • Jp3tr0 on

    Yeah....this is bad. Setting a precedent for this, with such a popular application, significantly affects the the mobile threat landscape and risk profiling for mobile app vulnerability management. Ussers will be forced to configure their device in an insecure state (Allowing installation of apps from unknown sources). At that point, the typical end user will leave their device in that state, and from then on, many other vulnerabilities identified in other mobile applications (e.g. tapjacking, etc) that typically require the download and installation of a malicious 3rd party app in order to be exploited, now no longer have that mitigating factor of the user having to explicitly configure their device in an insecure state as a prequisite for exploitation. It will already be that way. Hopefully Google or Epic Games, can implement a control (granular trusted app source acls in Android) or at the very least, provide awareness/education on the risk. Even at that point though, still a less than favorable decison from the developer.
  • John on

    Sorry... how is this Epic’s problem? It’s Google’s problem so why would epic give a damn? Maybe if Google didn’t try and rip off developers with a 30% cut Epic wouldn’t go outside of the Play store. Instead it has and any user behavioural issues that arise from that is Google’s own fault and their own problem.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.