CyberWire Daily - Fake Fortnite app scams infect gamers. [Research Saturday]
Episode Date: March 2, 2019Researchers at Zscaler have been tracking a variety fake versions of the popular Fortnite game on the Google Play store, along with associated scams. Deepen Desai is head of security research at Zscal...er, and he joins us to share their findings. The original research can be found here: https://www.zscaler.com/blogs/research/fake-fortnite-apps-scamming-and-spying-android-gamers Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Back in May 2018, when we published a research fortnight had about 45 million players worldwide
that's deepened to sigh he's head of security research at zscaler the research we're discussing
today is titled fake fortnight apps scamming and spying on Android gamers. The popularity has grown immensely since then as well.
But it was always on our radar to track different popular apps, trending apps,
because those are the ones that are being targeted by the malicious actors.
And what we saw back then was not one, but there were several different fake Fortnite apps for Android users that were trying to take advantage of the popularity of the game.
Now, to be clear here, at the time when you originally published this research, Fortnite had not yet been released for Android devices.
So these bad actors were taking advantage of the desire for the game by putting out fake versions on the Play Store?
That is accurate. So at that time, Epic basically announced that it will be extending its support
to mobile platforms. And it already launched the iOS version of the game. The Android version of
the game was planned for summer of 2017, tentatively, but there was no official data
announced. So that was the situation
but as you know there are a lot of eager gamers that were waiting for that app so we did see a
bunch of fake fortnite apps being available on third party as well as you know some of the
malicious web stores well let's go through some of the ones that you found one at a time here
one of them
involved some spyware. Can you walk us through what was going on with this one?
Right. So the first one that we mentioned is the spying app. This is basically allowing the
attacker to monitor all the incoming and outgoing calls on the infected device. It's able to harvest
call logs, get phone contacts and other information from the infected system. It's able to harvest call logs, get phone contacts and other information from the
infected system. The attacker can also access camera, take pictures and remotely wipe data
on the device. So it was a full-fledged remote control app, which we saw in this case getting
installed on the user system. Now, this was able to keylog as well?
It was able to keylog as well, yes.
And what did you see in terms of this connecting with any sort of command and control server?
Had that occurred?
So during our analysis, we did notice that it was calling back to a CNC server,
but the server was not online.
So we did see the code, but we haven't seen any successful connection at the time
of analysis. So that's why we mentioned in the blog that it may still be under development or
the server has already been taken offline. Now, what would the user experience be for this?
So if I download this, I see a Fortnite logo on my phone. What happens when I try to launch the game?
There obviously won't be any game being launched.
It will just disappear.
There won't be anything visible on the screen.
The malicious app is actually running in the back end.
And does it have a persistence?
Yes, it will stay persistent on the user system.
I see.
All right, well, let's move on to one of the other ones that you discovered.
One of them was doing some coin mining.
Yep. So 2017 and 2018 were the years for a lot of mining activity, both web-based as well as
system-based. So it was no surprise that we also saw mobile malware, where one of this was a
Fortnite APK file that was being downloaded and performing coin mining activity using the CoinHive JavaScript,
which was embedded in the file.
And again, the user doesn't get any game to play and they wouldn't necessarily know
that this was happening.
We would all take place in the background.
That is accurate.
The only thing that the user will notice is the phone's battery is going to die out faster
than usual. And the phone
might even get heated up because the coin mining activity will leverage a CPU. I mean, it will
prefer GPU, but yeah, phones, it will mostly be leveraging the CPU. And we have shared some stats
as well on that in the blog on what that would look like when the device is infected with this
malicious app.
Now, let's go through some of the other ones.
Some of them were generating revenue in other ways, some clever ways here.
What did you discover?
Right. So just to give you a background, Fortnite has a virtual currency called V-Bucks,
which allows the users to purchase some of the in-game cosmetic items.
The game is free to play, but the V-Bucks is where Epic Games makes a lot of money as well.
The part that the scammers are taking advantage of is there are a lot of young players who are trying to get those V-Bucks at a discounted price.
Or maybe by doing certain surveys and get the V-Bucks for free. So the scammers are
basically pushing out apps saying that, hey, if you do X, Y, and Z, you will get free V-Bucks in
return. And what ended up happening over there was the unsuspecting user would install the app,
do all the ad and survey activity. And in return, he wouldn't even get any kind of vbucks right so it's just pure
scam being performed on the user's account yeah they're just leading you along promising vbucks
but you never get the payoff correct now one of the interesting things that you pointed out in
this one is that they had a system encouraging people to leave positive reviews for the app
yes that was interesting one as well.
And by the way, a lot of these apps were also on Google Play Store.
We've actually posted some of the reviews,
which were clearly the result of the app asking the user to post positive reviews
if they want to get the V-Bucks, right?
So that was one of the intended steps as part of the things that the users were asked to do as a result of
which they would get V-Bucks. These positive reviews were pre-written. It auto-populated
the screen with these so that you didn't even have to write them yourself. That is accurate, yes.
And we've mentioned all the list of comments. They had actually about 30 or 30, yeah, about 30 comments. So in order to make it not
repetitive, they would randomly pick one of them. And that's how the Google Play comments
won't be all the same. And then there were some other techniques where they got you to take
surveys or download other apps. Yep. Yeah. So that's the part I was mentioning,
like they would ask you to take surveys, provide information, download other apps, which could further perform other ad scam activity on your mobile phone.
Yeah, it was interesting to me to see that in the process of launching the fake app, they would have screens that would load that were pretty convincing, that looked like what you would expect some sort of beta of Fortnite to look like.
Yep, yep, yep. That is accurate.
And what was interesting was, I mean, maybe not surprising
because of all the five-star reviews that the app was getting,
some of these apps were downloaded over 4,000 or 5,000 times on Google Play Store.
So thousands of users were impacted by this.
So in the meantime, since you published this research initially,
there has been a version of Fortnite released for Android,
but that brought its own set of interesting consequences.
Can you walk us through that?
Right. So Epic Games decided to launch the Android version of Fortnite
by hosting the installer file on their
own website. Basically, they're not leveraging Google Play Store for various reasons. And I'm
sure you guys can read into that. But they chose to host the installer on their own site, which
means that as part of the installation step, the user is asked to install an APK package from a third-party
untrusted source. So Android operating system by default would not allow a user to install APKs
from an unknown location other than Google Play Store. And so while Epic Games website,
people can trust it, but there are a lot of other methods
that the attackers can leverage to, you know, things like puny code and other mechanisms to
make a site which looks very similar to Epic Games, right? And fool the end user into clicking
those link and downloading the APK file. Yeah. And I suppose that once you've socialized your
user that getting what you want,
you're going to need to override some of these safety settings.
Well, that's half the battle.
Exactly.
And those steps are actually mentioned on the Epic Games site itself.
Obviously, they would want the user to be downloading the app
from their own website.
But the point over here is if a malicious attacker
is able to convince a user that the site that they're visiting is indeed Epic Games' own site.
And then they will happily follow the steps that are mentioned.
It strikes me that this sort of leading people along, stringing them along with all these steps to try to either get the V-Bucks or get the game itself.
I would imagine lots of people wouldn't fall for this or would bail out somewhere
along the way. But I guess it's important to remember that a lot of the folks who would be
attracted to this are going to be kids. Exactly. Yeah, it's a fact that there is a wide area of
age groups that play this game, right? A number that I read recently, it's topping about 200
million users worldwide, and the concurrent count is 8 billion users at any given time that's playing the game.
So, yes, there will be a lot of kids who are not willing to spend money and get those V-Bucks by doing some of the surveys and things like that and falling for the malicious apps.
Yeah, kids have nothing but spare time, right?
So what are your recommendations?
If I'm a parent and I want to warn my kids about this, I want to inoculate them against these sort of things. What sort of warnings should I give them to have a good eye out for these sorts of techniques?
If we're talking about the Android users, if you are using a Samsung phone, I think they did one good thing over there.
Samsung Galaxy App Store, which is a third-party app store, but it's sort of vetted by Samsung folks, right?
So that does have Fortnite installer as well.
So number one, I would recommend if you're using a Samsung device, you should try to install the game from that app store rather than any link.
Number two, if you don't have a Samsung Android phone and it's a different vendor, then you
should visit the site epicgames.com and follow the QR code instructions.
They're clearly written.
Do not click on the link that you receive through any kind of unsolicited messages, instructing you to download Fortnite,
using this method in order to get,
you know, a thousand V-Bucks for free.
Because all of those will lead to installation of,
in most cases, malicious packages on your phone.
So visit the site, install the package from there,
or install it from Samsung Galaxy App Store.
Now, what about if someone did fall victim to this if they had one of these these fake fortnite games and they had installed
it what goes into removing it right and this is where you know the instructions for removal will
be different based on the malware that is getting installed so i'll take an example of the spyware
app that was getting installed in our research'll take an example of the spyware app
that was getting installed in our research that we published.
The user has to go into the settings
and disable accessibility access for the Fortnite app,
which is the app that the user installed.
And once the user turns off that,
he will be able to remove the app
by clicking on uninstall for the Fortnite icon.
So that's one of the way to get rid of that app. Now, having said that, he will be able to remove the app by clicking on uninstall for the Fortnite icon.
So that's one of the ways to get rid of that app.
Now, having said that, every malicious app will have its own way of installing on the mobile phone.
So the instructions will be different.
Yeah, but buyer beware.
It's, I guess, best to not have it installed in the first place.
Absolutely, yes.
Our thanks to Deepan Desai from Zscaler for joining us.
The research is titled,
Fake Fortnite Apps Scamming and Spying on Android Gamers.
We'll have a link in the show notes. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, And I'm Dave Bittner.
Thanks for listening.