Fortnite for Android is one of the most eagerly anticipated game launches this year, but news of the impending launch has shocked security teams across the globe after the announcement that the game will not be available via Google Play. Instead, users will need to download Fortnite for Android direct from Epic Game’s site.

Epic’s CEO, Tim Sweeney, told the press that the decision is “in part to build a direct relationship with customers”, but is also “motivated by economic efficiency”. Namely avoiding the 30% cut that Google would take from game revenue.
But what security risks are associated with this decision? And what will happen if it becomes the norm for app developers to circumvent the security measures taken by official app stores? Sweeney argues this responsibility lies with the community.

Everyone active in the Android ecosystem, including Google, manufacturers, carriers, and now Epic Games, will need to work together to maximize the security of Android as an open platform. We recognize we’re taking on a big responsibility here and take it seriously.Tim Sweeney, CEO of Epic Games

With Wandera research showing that 10% of employees game on their corporate devices on a daily basis, we decided to look into the dangers of sideloading apps from third parties.

What is sideloading?

Sideloading is a term referring to installing apps from ‘unofficial’ or ‘third party’ app stores (ie. not from Google Play). To download third-party apps for Android and install them, the user has to enable installs from “unknown sources” in the security settings of their device. This process is called sideloading.
As it stands, sideloading is not easily done on iOS. Likely because if Apple was to allow it, users would be able to avoid using the official App Store and Apple would lose out on the revenue. Apple’s cadence of software updates has made it harder and harder to jailbreak devices. Each new release patching vulnerabilities that have made it possible in the past.

Security risks for Fortnite users

UPDATE: Google’s security team discovered a vulnerability in the Fortnite Installer that could be exploited to hijack the request to download Fortnite from Epic to secretly download something else. In order to be exploited, users would need to have a malicious app already installed and waiting for such a vulnerability. That app lays in waiting for such requests to download something from the internet and intercepts that request to download more damaging malware, for example.
Epic fixed the vulnerability less than 48 hours after being notified. The Fortnite Installer that brought the fix is version 2.1.0. Users can check the version in the Installer settings. If users had downloaded the vulnerable version, they will be prompted to install 2.1.0 (or later) before installing the game.

1.The normalization of sideloading

Sideloading apps is not a dangerous practice in itself and there are many legitimate reasons why game developers may choose to host their applications in third-party app stores. Freedom in development, a quicker route to market, less competition – to name a few.
Sideloading is also an important capability for installing enterprise developed apps. Many corporate apps are not uploaded to the official stores, as they are proprietary apps with important functions built specifically for employees.
The biggest risk here is users enabling this feature to install Fortnite then forgetting to switch it back. It’s like saying Amazon is going to deliver directly to your living room now, but you have to leave your front door open all the time. Wandera research shows that 20% of corporate Android devices (running versions between KitKat and Nougat) allow installs from “unknown sources” permanently enabled. Meaning at any given time, they can download a piece of malicious software from any corner of the web.
Not all apps are built equal and when going through the process of making an application available on one of the traditional app stores, such as Apple’s ‘App Store’ or ‘Google Play’, developers must meet rigorous security standards and adhere to certain quality metrics. In fact last year Google removed 700k apps from the Play Store that did not meet these standards.
Third-party app stores tend to set their acceptance bars lower and make it easier for users to gain access to apps that may have serious security deficits. Pernicious parties are aware of this and can easily implement malicious code within the format of an application.

2. An influx of fake Fortnite apps in Google Play

We’ve expect to see yet more fake Fortnite apps sneaking their way into the Play Store looking to exploit new users who may not be aware that it can only be downloaded directly. It’s a pretty natural assumption to look for your favorite games on the Play Store, and it’s something we’ve already noticed happening prior to the release.

3. A rise in ‘Epic phishing’

Third-party app stores aren’t the only source delivering dangerous apps to Android devices. Apps can also be installed via phishing attacks. Think about how many times you’ve seen a website pop up or a text message prompting you to install an important Flash Player update for example. A minor slip up like clicking on a convincing phishing attack can be stopped if the device is configured to only allow Google Play apps to be downloaded. Devices allowing app downloads from unknown sources will automatically download malicious files from anywhere on the web.
Taking the direct download approach could lead to an influx of phishing sites impersonating Epic Games attempting to draw in would-be Fortnite players. This wouldn’t be the first time hackers have capitalized off the popularity of global events to give credence to their attacks. Back in June Wandera research noted a 67% increase in the creation of new phishing pages targeting gamblers during the World Cup.

fornite android.Protecting your fleet

Visibility is the most important thing when it comes to evaluating the safety of apps and what exactly you’re giving up when you hit accept. Sometimes, however great that new app is, it’s just not worth the cost.
That’s why it’s essential to invest in a security solution that can continually monitor and block emerging threats across your fleet, wherever they may be triggered on the device. At Wandera, we built MI:RIAM to analyze over a billion data points daily – flagging malicious applications, traffic to malicious URLs and range of other security threats in real-time to prevent critical data loss. Providing complete protection to your corporate estate.
If you’d like to go one step further and get complete visibility into the applications installed across your organizations, get a demo of Wandera’s App Insights feature today. App Insights presents organizations with a 360-degree view of apps installed across the mobile fleet, complete with permissions, versioning details, and additional metadata. This is exactly the kind of information that helps admins to determine what actions need to be taken to address risky, out-of-date third-party applications.
If you’d like to learn more about protecting your organization’s from mobile threats, get in touch with one of our mobility experts today.