Malicious and fake versions of Fortnite have sprung up all over YouTube after the game was announced to launch on Android platforms. Security researchers at Malwarebytes made the discovery whereby various tutorial videos were discovered within sponsored adverts. Even though the adverts and the Epic Games (the game creators) logo all seemed legitimate, the malicious links are in fact stealing content from the iOS app once users begin the downloading process. This requires the user to complete what seems like real verification task to download the “free app” which then directs the user to Google Play. However, if you download the app, this will lead to the Android phone being infected with malware.
We managed to gain insight for leading security professionals to get their take on the situation:
Steve Giguere, lead EMEA engineer at Synopsys:
“As much as we are wary of scam phone calls promising too good to be true offers, and investment schemes like the Initial Coin Offerings promising a blockchain based something for nothing, a website promising a contraband release of a new game feels only too possible due to previous precedents of leaks from government documents to Games of Thrones episode spoilers.
The temptation for enthusiasts, blinded by fandom and the inevitable peer kudos of getting to play early, combined with the real advantage of not being subjected to real post-release media spoilers, is such that it subverts the good sense to prevent one exploring the realm of questionable websites and dodgy video instructions only to be led down the path to malicious game ending malware. Any form of social engineering is successful because it’s designed around human nature. There’s no shame in being caught out by schemes or scams like these, but we need to learn that where we exhibit human weakness, the cyber-criminal will be present looking to take advantage to turn our nature against us. As attacks like these become more common place, awareness will inevitably follow; but until then, ensure you are running a modern endpoint security program and remember that if you if it looks too good to be true, don’t take the bait. It’s called phishing for a reason.”
Javvad Malik, security advocate at AlienVault:
Criminals will use various tactics to entice users to click on their phishing email, or download their malicious software online from the web, or mobile app store.
Among the popular techniques is to use the lure of ‘early access’. When the latest summer blockbuster comes out, criminals look to put fake malware-ridden movie downloads online.
Similarly, we see the pre-release of malicious mobile apps in gaming stores which entice users to be among the first to get a game.
We will need to continually improve the defences to stop such malware making its way into app stores, or running on devices. But at the same time, ongoing user awareness is essential to ensure users are savvy to the risks that can affect them.
Martin Jartelius, CSO at Outpost24
Attacks which require user interaction often focus on one of a subset of attack paths
Promise something for free that usually costs money– Often by pirating an existing product, backdooring it and uploading it to the stores.
Promise something with a perceived value at no cost, but deliver nothing – Free “antivirus” solutions have fallen in this category, for example, or applications which just wrap another company API functionality.
Promise something desirable, like this unlock.
Essentially it boils down to user awareness and behavior– fraud will always be a problem. The statement that if you are not paying you is the product being sold still holds true.