Our Tencent(s) on the battle royale to exploit interest in the Fortnite Android app

Cybercriminals have sought to take advantage of the long-awaited release of the popular Fortnite battle royale video game on the Android operating system. This is partly due to the producer Epic Games’ – itself owned by Chinese investment conglomerate Tencent – decision not to make the app accessible via the Google Play Store, and instead host it on their own website. This has provided cybercriminals with the opportunity to develop to malicious variants of the Android Application Package (.apk) file and lure unsuspecting users into downloading them. Although fake Fortnite apps have been circulating since June, we use the actual release of the game on the Android platform to look at three malware variants posing as the download for the game.

Credential phishing site purporting to be the download for Fortnite for Android

The first sample we analysed features encourages the user to visit the credential-phishing website AndroidFortnite[.]info shown above. The phishing page masquerades as the download for the Fortnite .apk file. In reality, FakeFort malware is downloaded on to the victim’s device.  FakeFort then uses the victim’s Twitter and Facebook accounts to spread by posting links to the AndroidFortnite[.]info phishing site. During installation, FakeFort requests permissions for full internet access privileges. It then directs the user to a phishing page that asks them to enter their mobile number to unlock access to the downloaded Fortnite game. This process activates a subscription to a subscription which sends the victim four text messages a week, charging them USD 2.50 a message.

Analysis also revealed that the Android certificate used to the sign the malware (9df04d9b86ce7e549066f11532020f71abcf1ef1) has been used for at least two other campaigns targeting users of Realm Royale and Grand Theft Auto V – also popular games. These campaigns appear to operate in a nearly identical manner: sending users to a page like the one displayed below. This suggests a common perpetrator behind the campaigns.

Example of the phone scam victims would have been directed to once the .apk was downloaded

A second sample drops the same FakeFort malware from the site androidhackers[.]net. This page also offers a download for the Fortnite .apk file. The certificate signature used for this file (9716debd8fbb706de6efb73dfc69adc07fc16ede) had previously been used in campaigns in April and June to distribute malicious Android apps spoofing games such as Harry Potter Wizards Unite.

A third, separate sample appears to be targeting Chinese users. This variant is targeting users via Tencent (Epic Games’ parent company), gathering information by attempting to communicate with various user accounts associated with Tencent. These include their Player Unknown’s Battlegrounds (another popular Battle Royale game) activity, live chatroom activity, Tencent authentication, friend details, Steam (the video game distribution platform) activity, Midas QQ (Tencent’s official virtual payment platform) wallet activity and also hooks into the Xiaomi message receiver. The certificate used to sign the malware (a05c551befc6748f474696f3defe086c320f45a4) has been used on 42 other files that all appear to be malicious that seem to focus on Tencent and the Chinese populace.

As more conventional malware types such as ransomware and cryptocurrency-miners become less profitable, cybercriminals will continue to experiment with new and potentially profitable ventures. The opportunity to exploit gamers’ desire to access their favourite games – particularly younger audiences – is a compelling one. As ever, this type of threat can be mitigated by using only trusted sources – such as official app stores – for software downloads. Users should also be aware of the permissions they grant to apps.

List of SHA-256 associated with malware sample:

  • 219426bee4a8e4cf5f1445a4ce5630f6807ccc1ae64b290bb8e007d4ab3ae8c6 – FakeFort Trojan
  • f39e18c23f07d61612e7ec3ed6cac0be8857d9e3e309331b352ca2fd0e095ecc – FakeFort Trojan
  • 742fd67291a59def15f7c8db057de896314848354701ec3958d29436ea0f6791 – Separate Trojan targeting Tencent Chinese users

List of Android certificate thumbprints:

  • 9df04d9b86ce7e549066f11532020f71abcf1ef1 – FakeFort Trojan
  • 9716debd8fbb706de6efb73dfc69adc07fc16ede – FakeFort Trojan
  • a05c551befc6748f474696f3defe086c320f45a4 – Separate Trojan targeting Tencent Chinese users