YouTube is being bombarded with fake tutorials claiming to show how to download the popular battle royale mobile game phenomenon Fortnite for Google’s Android operating system—despite the game not being released on the platform until later this year, a cybersecurity expert has warned.
Dozens of suspicious guides, some uploaded months ago, have racked up millions of views on the Google-owned video platform. In the majority of cases, culprits attempt to dupe victims by directing them to an unrelated—and potentially malicious—Android app before promising access to the game. Lukas Stefanko, a malware researcher at ESET, a Slovakia-headquartered antivirus company, told Newsweek on Tuesday that users need to be made aware of the risks asociated with such scams.
One video, published on June 10, shows an individual searching for “fortniteandroid[dot]us” and quickly navigating the steps to a suspicious-looking webpage hosting the download. Once clicked, the app mirrors Fortnite’s login page but then claims, “mobile verification required.” In seconds, it redirects to another website offering “Photo Editor Pro” which, if permitted, allows access to a user’s identity, contacts, location, camera and WiFi connection. The short clip then claims to show Fortnite running on an Android-based smartphone—but Stefanko says all is not what it seems.
“These apps make the user download more Android apps to create revenue for developer,” he told Newsweek, adding: “There isn’t any video on YouTube with actual game play to prove it—only video footage played from an app recorded either from iPhone or PC. What concerns me most is that these files could be malicious and try to steal a user’s money or mine for [cryptocurrency] using the device.”
Despite the plethora of videos being uploaded many of the most recent appear to be emerging from the same person, under different YouTube accounts. While the backdrop to the footage changes, (clip 1, clip 2, clip 3), the camera setup, image angle and editing styles are similar. The rogue app changes but the tactic remains the same. The scammer’s identity remains unclear but in two separate videos uploaded under different names (clip 1, clip 2), the individual has the same hand tattoo.
“That’s fishy,” Stefanko said when the similar uploads were brought to his attention. “Based on that we could guess there is one guy—or a team—behind the videos, doing it on purpose to get revenue.”
The ultimate aim, the researcher said, is to spread unrelated Android apps and squeeze illicit revenue from their use, typically via some well-established techniques including click or advertising fraud. “It is hard to say who is behind them, I guess there is more people or different groups exploiting unawareness because it is really simple to create such fake apps,” the cybersecurity expert added.
Google’s YouTube did not respond to a request for comment.
There is precedent for using well-known intellectual property in the gaming community to spread scams. In recent years, brands including Pokémon Go and Super Mario Run were exploited by cybercriminals to manage hacking operations. In May this year, U.S.-based cybersecurity company ZScaler reported a spike in malware and spyware posing as Fortnite that could harvest call logs and phone contacts.
Stefanko, who is still conducting analysis on his YouTube discovery, said it remains unclear as to what extent the fake download files are malicious but said Android users should remain vigilant.
“There are so many people watching these video tutorials and installing these applications I guess bad guys could easily exploit it,” said Stefanko. “Stick to Google Play—don’t download a Fortnite application from any other website, the risk is too high. These apps are not from the official developer so there won’t be any real gameplay. For players the best advice is to wait [for the official release].”
In May, Fortnite developer Epic Games said the Android version is set for a summer 2018 release.