Privacy Central

Fortnite Android App Investigation
Cybersecurity12 Sep 2018 7 mins read

Fortnite Android App Investigation: Spyware Risks

We analyzed over 30 Fortnite Android app files downloaded from unofficial marketplaces, including Amazon, and found over 20% of them could be used to spy on you. We discovered apps that can access your camera, track your location, monitor calls, read your contacts and more. Only a minority were actually legitimate apps of any sort as a further 40% were either thinly-veiled adware or scams.

Simon Migliano
Simon MiglianoHead of Research

Summary Findings

32 apps were analyzed from 12 app stores, including Amazon. Over 50% of apps tested had some kind of issue. We categorized the apps as follows based on what we found:

  • Permissions with privacy risk: 7 apps
  • Adware: 8 apps
  • Scams/malware: 4 apps
  • Low risk: 13 apps

Our biggest concerns relate to the excessive permissions. We found apps that can be used to spy on people by tracking location, reading contacts, using the camera – even secretly making phone calls. None of these permissions are present in the official Fortnite game files.

Background

Fortnite is a hugely popular multi-platform video game. Publisher Epic launched the beta of the Android version of the game last month but decided to distribute the app directly rather than via Google Play. Although free to play, Fortnite already generates millions of dollars a month on iOS via in-app purchases, of which Google would be entitled to 30% if it were available to download from their Play store.

Epic’s business decision means that gamers are at much greater risk of downloading rogue apps as they find themselves on unofficial app marketplaces that appear in Google searches for “download Fortnite APK” and similar. The risk is exacerbated by the young age of a large proportion of the Fortnite player base. In fact a vulnerability in the Fortnite Installer was discovered on day one of the beta, a stark indication of the risks of circumventing the official stores.

1. Excessive Permissions: Potential Spyware

The following table is a summary of the worst Android app permissions we discovered in the apps we analysed. None of the following permissions can be found in the official Fortnite Installer Android app nor the full game. These are the permissions most open to abuse, particularly in terms of spying on users of any device on which they have been installed. We found many other unnecessary permissions, these can be found in the full research findings (permissions appendix).

Privacy Red Flags

Permission What does it do?
CAMERA Take pictures and videos with the camera. This allows the application to collect images that the camera is seeing at any time.
CALL_PHONE Initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed.
ACCESS_FINE_LOCATION Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power.
READ_PHONE_STATE Access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.
READ_CONTACTS Read all of the contact (address) data stored on your phone. Malicious applications can use this to send your data to other people.
INSTALL_PACKAGES Install new or updated Android packages. Malicious applications can use this to add new applications with arbitrarily powerful permissions.
WRITE_SETTINGS Modify the system’s settings data. Malicious applications can corrupt your system’s configuration.
ACCESS_COARSE_LOCATION Access coarse location sources, such as the mobile network database or Wi-Fi network, to determine an approximate phone location, where available. Malicious applications can use this to determine approximately where you are.

Apptoide Market

Apps

  1. Fortnite Installer
  2. Fortnite Companion
  3. Guide for Fortnite Battle Royale
  4. Fortbuddy Companion for Fortnite

No. of Permissions

24 identical permissions across each of the four apps.

NB: official Fortnite Installer has 9 permissions

Findings

These four apps have the longest list of permissions of any app that we tested, almost three times as many as the official installer. Alarmingly, even though three of the four apps are supposedly guides that claim to help you play Fortnite rather than the game file itself, all four have identical permissions. Worse, 6 of the 8 worst permissions we have identified in the “rogues gallery” above are present here.

  • CAMERA
  • ACCESS_FINE_LOCATION
  • READ_CONTACTS
  • INSTALL_PACKAGES
  • WRITE_SETTINGS
  • ACCESS_COARSE_LOCATION

There’s no question that these permissions could be be used to spy on the owner of any device with these apps installed, especially in combination with the INTERNET permission also present. This very common permission, which is also used in the official app, allows an app to go online. Together, they could be used to transmit your location and any images that the camera is seeing at any time with a third party. Similarly, they permit snooping the contents of your address book or SD card.

The INSTALL_PACKAGES permission is particularly dangerous, as it allows the app to download additional software without need to ask further permission. This in effect creates a backdoor for malware onto your device.

These red flag permissions are just part of a longer list that grant wide-ranging powers to the installed apps. Others allow the apps to make changes to your Wi-Fi networks and receive data not directly addressed to your phone. They can also collect information about connectivity, sync settings and stats.

It appears that whoever uploaded the Fortnite Installer app to the Apptoide marketplace took the opportunity to combine the game files with those of the marketplace app to take advantage of interest in Fortnite and sneak additional installs in order to increase its user base. However, ethics of this approach aside, these permissions are also excessive for a marketplace app and so these apps should be avoided completely from a privacy and security perspective.

Amazon

Apps

Basic Guide for Fortnite

We tested 8 other Fortnite apps from the Amazon app store and while they were adware to be avoided they did not have excessive permissions that could be used to spy on you.

No. of Permissions

17 permissions

NB: official Fortnite Installer has 9 permissions

Findings

We discovered a high volume of apps labelled simply “Fortnite” on the Amazon app store that used official game imagery to advertise themselves, however these were mostly adware. The Basic Guide for Fortnite is an incredibly basic app, offering text-based tips on how to play the incredibly popular game. However, it features 6 of the 8 “red flag” spy permissions we identified.

  • CALL_PHONE
  • ACCESS_FINE_LOCATION
  • ACCESS_COARSE_LOCATION
  • CAMERA
  • READ_EXTERNAL_STORAGE
  • READ_PHONE_STATE

This app has some of the most egregious permissions of all. The CALL_PHONE permission can not only be used to dial premium numbers and cotst you money but could also be used to effectively bug you by initiating a call and recording the audio.

READ_PHONE_STATE also sets of alarm bells, given the sensitivity of the information to which it gives the developer access. Not only does it give access to your phone number and your device serial number but also whether you are making a call at any given time and the phone number you have dialled. It’s absurdly intrusive for a text guide and open to significant potential abuse.

These two permissions alone would be enough to flag this app as dangerous but it also has the same issues as the Apptoide apps, namely that it can be used to track your location accurately and view all images your camera is seeing and share them with a third party thank to the additional INTERNET permission.

Other notable excessive permissions include the ability to discover, pair with and connect to Bluetooth devices.

There is no justification for these permissions in such a simple app. While we did not find clear evidence of that these permissions were being abused at the time of testing, we would strongly advise against installing this app due to the potential for significant abuse.

APK Here

Apps

“Fortnite 5.0”

No. of Permissions

9 permissions

NB: official Fortnite Installer has 9 permissions

Findings

The “Fortnite 5.0” apk we downloaded was misleading in that it wasn’t actually a playable game and instead was another guide despite all evidence to the contrary on its marketplace listing. While it had lower potential for spying than the worst offenders, we still discovered 3 of the 8 “red flag” permissions listed above.

  • ACCESS_COARSE_LOCATION
  • ACCESS_FINE_LOCATION
  • WRITE_SETTINGS

This app can use your connections to cell towers and Wi-Fi networks to calculate your approximate location as well as zeroing in accurately on where you are using GPS. Thanks to the additional INTERNET permission, the app can go online and share this information with a third party. It can also change settings on your device. Any app that seeks to track your location without good reason should be avoided.

Mobango

Apps

Fortnite – Battle Royale

No. of Permissions

6 permissions

NB: official Fortnite Installer has 9 permissions

Findings

This is another misleading app: a poor quality game guide masquerading as the official game. While it doesn’t have as long a list of risky permissions as some of the other apps analysed, with 2 of the worst 8 present, it does have one of the most open to abuse.

  • ACCESS_COARSE_LOCATION
  • READ_PHONE_STATE

As stated elsewhere in this report, READ_PHONE_STATE is a dangerous permission. Not only does it give the app developer access to your phone number and your device serial number but also whether you are making a call at any given time and the phone number you have dialled. As before, this permission is absurdly intrusive for a text guide and open to significant potential abuse.

2. Adware

Eight of the apps we tested could be characterized as adware. These are very simple apps, as little as four screens of poorly-written plain text on a colored background explaining the basics of Fortnite. They are however absolutely riddled with ads, throwing up full-page ads at every click.

These apps are typically labelled as “Fortnite” and use official images as their app logos and in their descriptions, tricking unsuspecting users into downloading them in the hope of getting the game. Instead, they generate ad impressions as duped users click through the app looking for content. It may take thousands of impressions to scratch together a few cents but the global frenzy around Fortnite means the developers can eke out a profit.

Amazon

Amazon is infested with Fortnite adware. We tested seven that were all very similar, and there are more appearing every day. We suspect that the same developers are behind many of the apps due to their similarity, simply using a different developer name each time.

Developers of these apps include:

  • The Wind
  • Matax
  • Morata
  • Luca
  • Jessy Studios
  • Xamer

While these apps did not appear dangerous in our testing, they are certainly predatory given the demographics of the Fortnite player base and we would expect better quality control from a company like Amazon.

APK Here

One of the three Fortnite apps on APK Here should be classed as adware. “Fortnite Battle Royale” is a fake app that instead auto-downloads when you click on the listing, ie it doesn’t direct you to a listing page, and installs the APK Here marketplace app rather than Fortnite. Only “Companion for Fortnite & Fortnite Battle Royale” is a legitimate app, albeit unofficial, ad-supported and of questionable quality.

3. Scams & Malware

We found four blatant scams: two click farms and two apps which failed malware scans.

Click Farms

We found two instances simple click farms which trick unsuspecting users into clicking surveys in order to get the game files as a reward.

The developers get fractions of a cent for each click but bank on volume to make a profit. There is no game for download.

Malware Flagged

Of the two that raised malware red flags, the Fortnite APK on the Getjar marketplace was a dummy app that used the Fortnite logo and branding. It raised a flag for containing a PUP (potentially unwanted program).

Upon installation, the app appears to scan your phone only to suggest it cannot complete installation of the game due to an incompatible device model (NB: our test device does successfully run the official installer and game). The app then requests your email address, promising to contact you when your device is supported. It’s likely that harvested email addresses will be used for phishing or sold on the dark web.

The other file, Fortnite Mobile APK, is self-hosted on a page that appears on the first page of Google search results for relevant terms. This raised 16 flags for malware, with suggestions of a trojan, PUP and being a fake app.

However when we installed this Fortnite Mobile APK in a controlled environment we discovered that the app plays a series of videos that mimic the Fortnite loading screens. This ersatz Fortnite app then asks you to download and review unrelated third-party apps in order to complete the installation process.

There are no game files at all within this APK file, instead the developer earns referral fees from the developers of the downloaded apps. While we were unable to determine if there was a genuine malware payload in the app, we would recommend avoiding it.

Conclusion

With over 50% of Fortnite Android apps suffering from some kind of issue, it’s clear that fans of the game should take great care to download only from the Epic website itself. It remains a problem though that searching on Google and looking at aggregators (in this example, marketplaces) is firmly entrenched consumer behavior.

It’s unclear whether the inclusion of these dangerous permissions is malicious or not. The most charitable explanation could be dangerous negligence and incompetence on the part of developers looking to make a quick buck. Regardless, installing one of these APKs is the modern-day equivalent of slipping a CD into your computer that you was handed to you by a shady guy on a street corner. We have no idea about the identity of these digital bootleggers, nor of their intentions, so it’s best to stay well away from even the files we marked as low risk in our study.

Methodology: We searched for “Download Fortnite APK” and related terms on Google as well as popular alternatives to Google Play and searched for Fortnite. We downloaded any APK labelled as “Fortnite” or “Fortnite Installer” as well as prominent companion and guide apps.

We scanned the APK files with the NVISO Scan and VirusTotal tools. Some of these APK files had to be extracted from within the app of the marketplace from which it was downloaded. The research then compared scan results with those from official APK files and conducted line-by-line analysis of any differing results.

A full list of apps tested with links to their scan results can be found at Top10VPN Fortnite Android Investigation – Apps List and a breakdown of all excessive permissions at Top10VPN Fortnite Android Investigation – Permissions.