Fornite & Android: A Real Battle Royale
A warning for those of you with children who like to play Fortnite and other games on your phone, from security writer Stephen Chapendama.
Do you have any games on your phone? A dreaded question usually asked by the sticky-fingered niece or nephew at family gatherings. In the modern world, it is now not uncommon to see some children with smartphones. The device of choice wielded by children is usually running Android. These devices are most likely rarely updated and should never be allowed to handle Android Pay details. Android has a history of malicious applications playing trojan horse and has been making an effort to ensure user security in the Play Store.
Developer, Epic Games released their flagship game Fortnite on iOS in April 2018 whilst they worked on the Android version of the popular game. In the first weeks, they reportedly made (USD) $15 million via in-app purchases proving how successful the game is. For malicious actors, this presents an opportunity. As the children and adults alike awaited the release of the game on Android, the will it be on the Play Store rumour mill started. With sources quoting that Epic Games would rather manage the release themselves than have it controlled via the Play Store.
Whilst they will have their reasons (not wanting to pay 30% to Google), considering the user base of Fornite is predominately under 18s, this is very much not a responsible decision by the developer. Security measures when purchasing via in-app stores is always minimal and they have been numerous cases reported of children running up large bills whilst playing these games. Whether or not they know what their doing is an argument for Medium one day, but for now we take a look at some of the security risks not having apps on the play store opens these vulnerable devices too.
Google apps can be installed via packages known as APKs (Android Package Kits). The APK just like .exe files on Windows is how some users download and install apps which may not be available on their device, or they want to skip a queue for app updates and download the latest version. Some APK files may contain malicious software (malware) which Googles Playstore will screen for and ensure they don't enter their app store.
Installation of unofficial packages is disabled by default on most Android devices, and for a user to install Fortnite when it does fully launch, they will have to disable this setting. This now allows for malicious actors to plague the internet with fake versions of the app where unsuspecting users will potentially download. After installation, it is possible to turn on the setting to protect yourself again, but by then, it could hypothetically be too late. Most malicious Android apps are focused on one thing, getting the user to input their credit/debit card information.
This attack won't be new and it won't be unique to Fortnite. Even before the release on Android, suspicious APKs are available to download offering in-game boosts and tips. Whilst most adults will be moderately aware of best practices when dealing with apps, some children who play this game will not. If other game developers start opting for this route to bypass the Google Play Store, Android apps will become more vulnerable. Googles role as gatekeeper to the Play Store recently led to an EU Court ruling accusing it of abusing its monopoly when it came to their Google Services, so perhaps this will push them into working with other Android stores, but in this author's humble opinion, the route taken by Epic Games is not the right way.
Be Careful When Your Child Uses Your Phone
For those brave enough to let children download apps on their phone, always ensure you verify the permissions each game has. If a car racing game is requesting access to your SMS, Google Pay and files, alarm bells should be ringing. For added security, utilizing security products such as Norton Mobile Security or regularly reviewing what apps you have, what they see and do you actually use them is a good way to ensure security and peace of mind.
It also worth noting that not all malware coming from Android is designed for Android. In August 2018 Google removed 145 apps from its Play Store which contained malicious files designed to attack Windows PCs. It is very common for employees to charge phones via USB on work PCs or laptops and as such most company security policies disable USB access for this reason. Researchers from Palo Alto Networks noted that:
"the malicious files are useless on Android, so if you downloaded any of the apps, all listed at this link, and used them only on Android, you’re safe. Among the apps, some had over 1,000 installations and 4-star reviews, a hint that developers weren’t trying to deliver Windows malware via Android apps to users."
The report is available to read here.
When it comes to mobile security, most 'attacks' are self inflicted, users usually click on suspicious links spread through chain messages, downloading unverified apps or not reviewing security settings when they install new apps. The work done by Google to protect the Play Store is not enough, this is evident by the amount of malicious apps that still make it through the store, but the route that Developers are taking where profits matter over security is not the right way to go.
As the world evolves and the smartphone user gap grows, much more should be done to protect children who use these apps and google isn't doing it.
Main Image Credit : The awesome piece of artwork used to head this article is called 'Fortnite Slurpee' and it was created by graphic designer Brad VandenBerg.