Here comes the storm: ‘Fortnite’ arrives on Android, cybersecurity experts sound alarm

Epic Games isn't putting the mega-popular first-person shooter into the Google Play Store — a move that could mean some would-be users end up downloading malware instead, cybersecurity experts say.
fortnite android
(Epic Games) Fortnite is dropping into Android

The world’s most popular game just arrived on Android in an unusual and potentially dangerous way.

“Fortnite” is a cash cow of a video game. The free-to-play, battle royale contest takes in hundreds of millions of dollars every month across computers, consoles and iPhones as users make a mountain of small purchases like new clothes or dance moves for their characters.

Publisher Epic Games will now add the world’s most popular operating system, Android, to that river of revenue — and the company is angling to avoid the large 30 percent cut Google takes from official Play Store purchases by offering the game directly on the company website. The beta version landed on Friday.

It has cybersecurity experts warning that the move will make Android users more vulnerable to hackers by pointing them away from the protection of Google Play Store. The main concern in the short term is that hackers will disguise malware as “Fortnite” and trick users into downloading fake and malicious files. This tactic is already well-used.


”This will expose users to a lot more attacks,” said Christoph Hebeisen, a security intelligence manager at the mobile cybersecurity firm Lookout. ”This increases the attack surface by using apps that haven’t come from the App Store and therefore haven’t gone through the vetting process that Google requires.”

Earlier this year, Lookout published research linking a Pakistani group to a spyware campaign that tricked users into downloading fake apps from a fake alternative to the App Store.

The official Google Play Store actively guards against malware, giving users a trusted directory to download apps. The Play Store killed 700,000 malicious apps last year alone.

Other mobile devices and gaming systems that carry “Fortnite” are generally less open to installations from outside their proprietary environments. Apple, for example, all but forbids most software from running on iOS unless it goes through official App Store vetting and security processes. On consoles like Sony’s PlayStation, Microsoft’s Xbox or Nintendo’s Switch, “Fortnite” is found directly in the company’s store for downloads.

Android allows users go out of their way to enable an option to allow software downloaded off the internet. That left Epic with the option to circumvent Google.


The bigger picture may be even more stark, particularly if more profit-seeking companies circumvent the Google Play Store.

“The Google Play Store is the way to go,” Hebeisen said. “We want users to use it because the apps there are a lot safer. If people start to leave the Play Store, that’s problematic. They will be more vulnerable to installing third-party malware they shouldn’t install. This removes a barrier and it’s not a good development.”

Epic Games did not respond to questions about cybersecurity concerns. Last week, Epic CEO Tim Sweeney talked to the Verge and laid out his concerns mostly in economic terms.

“The 30 percent store tax is a high cost in a world where game developers’ 70 percent must cover all the cost of developing, operating, and supporting their games,” Sweeney said. “There’s a rationale for this on console where there’s enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”


Sweeney said gamers have proven to be able to adopt safe downloading practices. He cited PC gaming, where software is downloaded from a variety of sources — although in the last decade most major games have migrated to a few centralized stores with strict vetting and security processes of their own. “Fortnite” doesn’t feature in those PC gaming stores.

What comes next? Gaming and cybersecurity eyes are set on the billion-dollar precedent “Fortnite” can set.

“The danger is greater that once users known that this is normal,” Hebeisen said. “The more other companies do this and users become used to the process, they’ll become much easier to phish, mislead and install bad apps.”

Latest Podcasts