Researchers at Zscaler have been tracking a variety fake versions of the popular Fortnite game on the Google Play store, along with associated scams. Deepen Desai is head of security research at Zscaler, and he joins us to share their findings.
The original research can be found here.
Dave Bittner: [00:00:02] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us
Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Learn more at RSA booth number 5859, or connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:01:16] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Deepen Desai: [00:01:56] Back in May 2018, when we published the research, Fortnite had about forty-five million players worldwide.
Dave Bittner: [00:02:05] That's Deepen Desai. He's Head of Security Research at Zscaler. The research we're discussing today is titled, "Fake Fortnite Apps Scamming and Spying on Android Gamers."
Deepen Desai: [00:02:16] The popularity has grown immensely since then, as well. But it was always on our radar to track different popular apps, trending apps, because those are the ones that are being targeted by the malicious actors. And what we saw back then was, not one, but there were several different fake Fortnite apps for Android users that were trying to take advantage of the popularity of the game.
Dave Bittner: [00:02:40] Now, to be clear here, at the time when you originally published this research, Fortnite had not yet been released for Android devices. So these bad actors were taking advantage of the desire for the game by putting out fake versions on the Play Store?
Deepen Desai: [00:02:56] That is accurate. So, at that time, Epic basically announced that it will be extending its support to mobile platforms, and it already launched the iOS version of the game. The Android version of the game was planned for summer of 2017, tentatively, but there was no official date announced. So, that was the situation. But as , you know,, there are a lot of eager gamers that were waiting for that app. So we did see a bunch of fake Fortnite apps being available on third-party, as well as, you know, some of the malicious web stores.
Dave Bittner: [00:03:33] Well, let's go through some of the ones that you found one at a time here. One of them involved some spyware. Can you walk us through what was going on with this one?
Deepen Desai: [00:03:40] Right. So, the first one that we mentioned is a spying app. This is basically allowing the attacker to monitor all the incoming and outgoing calls on the infected device. It's able to harvest call logs, get phone contacts and other information from the infected system. The attacker can also access camera, take pictures, and remotely wipe data on the device. So, it was a full-fledged remote control app which we saw in this case getting installed on the user's system.
Dave Bittner: [00:04:14] Now, this was able to keylog as well?
Deepen Desai: [00:04:16] It was able to keylog as well, yes.
Dave Bittner: [00:04:19] And what did you see in terms of this connecting with any sort of command-and-control server? Had that occurred?
Deepen Desai: [00:04:25] So, during that analysis, we did notice that it was calling back to a C&C server, but the server was not online. So, we did see the code, but we haven't seen any successful connection at the time of analysis. So that's why we mentioned in the blog that it may still be under development, or the server has already been taken offline.
Dave Bittner: [00:04:47] Now, what would the user experience be for this? If I download this, I see a Fortnite logo on my phone. What happens if I want to try to launch the game?
Deepen Desai: [00:04:56] There obviously won't be any game being launched. It will just disappear. There won't be anything visible on the screen. The malicious app is actually running in the backend.
Dave Bittner: [00:05:04] And does it have persistence?
Deepen Desai: [00:05:05] Yes, it will stay persistent on the user system.
Dave Bittner: [00:05:09] I see.
Dave Bittner: [00:05:10] All right. Well, let's move on to one of the other ones that you discovered. One of them was doing some coin mining.
Dave Bittner: [00:05:40] And again, the user doesn't get any game to play, and they wouldn't necessarily know that this was happening. It would all take place in the background?
Deepen Desai: [00:05:48] That is accurate. The only thing that the user will notice is the phone's battery is going to die out faster than usual, and the phone might even get heated up, because bitcoin mining activity will leverage the CPU. I mean, it will prefer GPU, but yeah, phones - it will mostly be leveraging the CPU. And we have shared some stats as well on that, in the blog - on what that would look like when the device is infected with this malicious app.
Dave Bittner: [00:06:16] Hmm. Now, let's go through some of the other ones. Some of them were generating revenue in other ways, some clever ways here. What did you discover?
Deepen Desai: [00:06:25] Right. So, just to give you a background, Fortnite has virtual currency called V-Bucks, which allows the users to purchase some of the in-game cosmetic items. The game is free to play, but the V-Bucks is where, you know, Epic Games makes a lot of money as well. The part that the scammers are taking advantage of is there are a lot of, you know, young players who are trying to get those V-Bucks at a discounted price, or maybe by doing certain surveys and get the V-Bucks for free. So, the scammers are basically pushing out apps, saying that, hey, if you do X, Y, and Z, you will get free V-Bucks in return. And what ended up happening over there was the unsuspecting user would install the app, do all the ad and survey activity, and in return, he wouldn't even get any kind of V-Bucks, right?
Dave Bittner: [00:07:16] Hmm.
Deepen Desai: [00:07:15] So, it's just pure scam being performed on the users.
Dave Bittner: [00:07:20] Yeah, they're just leading you along, promising V-Bucks, but you never get the payoff.
Deepen Desai: [00:07:26] Correct.
Dave Bittner: [00:07:27] Now, one of the interesting things that you pointed out in this one is that they had a system encouraging people to leave positive reviews for the app.
Deepen Desai: [00:07:35] Yes. (Laughs) That was interesting when it was done. And by the way, a lot of these apps were also on Google Play Store. We have actually posted some of the reviews, which are clearly the result of the app asking the user to post positive reviews if they want to get the V-Bucks, right? So, that was one of the intended steps as part of the things that the users were asked to do, as a result of which they would get V-Bucks.
Dave Bittner: [00:07:59] These positive reviews were pre-written - it auto-populated the screen with these, so that you didn't even have to write them yourself.
Deepen Desai: [00:08:07] That is accurate. Yes. And we have mentioned all the list of comments. They had actually about thirty or - yeah, about thirty comments. So, in order to make it not repetitive, they would randomly pick one of them, and that's how the Google Play comments won't be all the same.
Dave Bittner: [00:08:24] And then there were some other techniques where they got you to take surveys or download other apps?
Deepen Desai: [00:08:29] Yeah. Yeah. So, that's the part I was mentioning - like, they would ask you to take surveys, provide information, download other apps which could further perform other ad scam activity on your mobile phone.
Dave Bittner: [00:08:44] Yeah, it was interesting to me to see that, in the process of launching the fake app, they would have screens that would load that were pretty convincing - that looked like what you would expect some sort of beta of Fortnite to look like.
Deepen Desai: [00:08:59] Yeah. Yeah, that is accurate. And what was interesting was - I mean, maybe not surprising - because of all the five stars reviews that the app was getting, some of these apps were downloaded over, you know, four or five thousand times on Google Play Store. So thousands of users were impacted by this.
Dave Bittner: [00:09:16] So, in the meantime, since you published this research initially, there has been a version of Fortnite released for Android, but that brought its own set of interesting consequences. Can you walk us through that?
Deepen Desai: [00:09:28] Right. So, Epic Games decided to launch the Android version of Fortnite by posting the installer file on their own website. Basically, they're not leveraging Google Play Store, for various reasons, and I'm sure you can read into that. But they chose to host the installer on their own site, which means that as part of the installation step, the user is asked to install an APK package from a third-party, untrusted source, right? So, Android operating system by default would not allow a user to install APKs from an unknown location other than Google Play Store. And so, while Epic Games website, people can trust it, but there are a lot of other methods that the attackers can leverage to - you know, things like Punycode and other mechanisms - to make a site which looks very similar to Epic Games, right? And fool the end user into clicking those links and downloading the APK file.
Dave Bittner: [00:10:33] Yeah, and I suppose that once you socialized your user, that getting what you want, you're going to need to override some of these safety settings - well, that's half the battle.
Deepen Desai: [00:10:42] Exactly. And those those steps are actually mentioned on the Epic Games site itself. Obviously, they would warn the user to be downloading the apps from their own website. But the point over here is, if a malicious attacker is able to convince a user that the site that they're visiting is indeed Epic Games' own site, then they will happily follow the steps that are mentioned.
Dave Bittner: [00:11:04] It strikes me that this sort of leading people along, stringing them along, with all these steps to try to either get the V-Bucks or get the game itself, I would imagine lots of people wouldn't fall for this or would bail out somewhere along the way, but I guess it's important to remember that a lot of the folks who would be attracted to this are going to be kids.
Deepen Desai: [00:11:25] Exactly. It's a fact that there is a wide area of age groups that play this game. A number that I read recently, it's topping about 200 million users worldwide, and the concurrent count is 8 million users at any given time that's playing that game. So, yes, there will be a lot of kids who are not willing to spend money, and get those V-Bucks by doing some the surveys and things like that, and falling for the malicious apps.
Dave Bittner: [00:11:50] Yeah, kids have nothing but spare time, right? (Laughs).
Deepen Desai: [00:11:55] (Laughs)
Dave Bittner: [00:11:55] So, what what are your recommendations? If I'm a parent, and I want to warn my kids about this, I want to inoculate them against these sort of things, what sort of warnings should I give them to have a good eye out for these sorts of techniques?
Deepen Desai: [00:12:09] If we're talking about the Android users, if you are using a Samsung phone, I think they did one good thing over there. Samsung Galaxy App Store, which is a third-party app store, but it's sort of vetted by Samsung folks, right? So, that does have Fortnite installer as well. So, number one, I would recommend if you are using a Samsung device, you should try to install the game from that app store, rather than any link.
Deepen Desai: [00:12:36] Number two, if you don't have a Samsung Android phone, and it's a different vendor, then you should visit the site - epicgames.com - and follow the QR code instructions that are clearly written. Do not click on the link that you receive through any kind of unsolicited messages, instructing you to download Fortnite using this method in order to get, you know, a thousand V-Bucks for free, because all of those will lead to installation of, in most cases, malicious packages on your phone. So, visit the site, install the package from there, or install it from Samsung Galaxy App Store.
Dave Bittner: [00:13:17] Now, what about if someone did fall victim to this, if they had one of these fake Fortnite games and they had installed it, what goes into removing it?
Deepen Desai: [00:13:27] Right, and this is where, you know, the instructions for removal will be different based on the malware that is getting installed. So, I'll take an example of the spyware app that was getting installed in our research that we published. A user has to go into the settings and disable accessibility access for the Fortnite app - which is the app that the user installed - and once the user turns off that, he will be able to remove the app by clicking on uninstall by the Fortnite icon. So that's one way to get rid of that app.
Deepen Desai: [00:13:59] Now, having said that, every malicious app will have its own way of installing on the mobile phone. So, the instructions will be different.
Dave Bittner: [00:14:08] Yeah, buyer beware. It's, I guess, best just to not have it installed in the first place.
Deepen Desai: [00:14:14] Absolutely. Yes.
Dave Bittner: [00:14:18] Our thanks to Deepen Desai from Zscaler for joining us. The research is titled, "Fake Fortnite Apps Scamming and Spying on Android Gamers." We'll have a link in the show notes.
Dave Bittner: [00:14:30] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:14:39] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:14:48] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. Our team co-innovates with our customers and partners to deliver automated, scalable and secure networks with agility, performance and value. Additional information can be found at Juniper Networks.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.