Fortnite For Android Skips The Play Store, And That’s A Huge Security Risk

fortnite, android, fortnite for android, epic games

Android gamers have been itching to get their hands on Fortnite ever since the game made the jump to iOS back in April. But the developer has now confirmed that to actually play it, they’ll have to go outside Google’s Play Store distribution service. That’s going to create a lot of problems.

Fortnite Battle Royale has become a gaming sensation, a smash hit on every major gaming platform and earning an estimated $1 billion despite its free-to-play model. It’s a perfect storm of popularity, thanks to an appealing mix of conventional shooter mechanics, Minecraft-style building, and the multiplayer format du juor: a 100-player free-for-all where the last one standing wins. It’s beaten out earlier competitors in the “battle royale” genre with a cartoony art style and consistent additions to weapons and gameplay mechanics. The game dominates social media on YouTube and Twitch, and it’s so popular with teenagers and school-age children that the iOS version caused a brief panic among teachers and parents when it bowed earlier this year, a la Pokemon Go. 

fortnite, fortnite ios, iphone, android, fortnite android,

In short, Fortnite is simply the Big Game of the moment. Whether or not it can maintain its wrecking ball momentum has yet to be seen, but when it finally arrives on Android it will instantly be played by millions of people at the very least. In that context, developer Epic’s decision to offer the game as a direct download on the web instead of a conventional installation via the Google Play Store platform is a huge problem. The news was confirmed by Epic CEO Tim Sweeney, and the download and installation process was tested by EuroGamer.

Android apps can be installed either via the Play Store, which is essentially the same as Apple’s App Store and offers a huge amount of built-in protection and security, or they can be installed in a process called side-loading. This manual installation is more or less the same as downloading a program off the web to your Windows desktop and installing it yourself, and it comes with the same risks. Advanced users know to be wary of unverified downloads from third-party sources. Inexperienced users, notably children, do not, opening them up to rogue installations of malware, spyware, and other generally undesirable stuff.

Android, android security, unknown sources, unknown sources,
Android’s default app install security will need to be disabled to play Fortnite.

Fortnite developer Epic Games will ask players to go through this process in order to play the game on Android. It’s easy to understand why: hosting the game download themselves and having the installation skip the Play Store will also skip Google’s commission on its lucrative in-app purchases, the monetization strategy for essentially all free-to-play games. Google uses the industry standard 30% cut, and on a game that will make tens of millions of dollars (at least) on Android alone, it’s certainly tempting to go around the middleman.

Epic does the same thing on the PC, where it uses its own installation program instead of the more ubiquitous Steam downloader, for essentially the same reason. Fortnite has to be downloaded through official platform channels on iOS, Xbox, PlayStation, and Switch…but that’s because those platforms don’t have any other way for software to be installed—no officially-recognized “side loading” that ordinary users can access immediately. If Epic could cut Apple, Microsoft, Sony, and Nintendo out of the loop of its microtransaction profits, it would.

fake fortnite, youtube, fortnite, fortnite for android,
Even before release, fake info on Fortnite for Android is rampant on YouTube and other networks.

The reasoning behind this move is obvious, but so is the danger. With the biggest game in the world asking millions of players to bypass vital security measures built into Android, the potential for obfuscation and abuse is unlimited. Malware and spyware developers have been posting fake Android downloads for “Fortnite” for months, even blatantly advertising them on places like YouTube. They’re hoping that gamers eager to join their iPhone-owning friends in the Big Game will throw away caution in order to install an unverified program, and open up their phone to data harvesting, ransomware attacks, cryptocurrency mining, and other unsavory practices. Sweeney confirmed that Epic is aware of these issues in his interview with EuroGamer, but boasted of Android users’ “freedom to install the software they choose,” and cautioned them to download only from trusted sources.

That’s sage advice, but it’s advice that he’s making it harder to follow.

Epic’s sidestepping of the verified Play Store system will make it even more difficult for inexperienced users to spot these fake versions of the game when Fortnite arrives on Android legitimately. With a huge and ostensibly trustworthy game publisher instructing its players to disable the outside sources security check on their phones, malware distributors need only expend a tiny amount of effort to make their previously shady-looking security bypass look like Epic’s legitimate instructions on how to play the game. Epic is figuratively gift-wrapping illicit access to people’s data to hackers and identity thieves, doubly so when they know that Fortnite is extremely popular among children and tech novices. A few cheap ads promising some free in-game experience points and skins is all it will take to attract users to fake downloads in droves. Make no mistake: with this decision, Epic is trading its players’ security for in-game profit.

fortnite, fortnite iphone, fortnite ios, fortnite on phone,

Google isn’t blind to the dangers of unverified installations. Android users have to disable a fairly ominous security option just to install apps outside of the Play Store, and even then, they go through a completely isolated screening process via Google’s servers that catches the vast majority of other malware. In the latest version of Android, Oreo, the “unknown sources” toggle is reset with every new manual installation. But the sheer volume of side-loading the Fortnite phenomenon will inspire on Android inevitably means that it will become a much more prevalent vector of attack in the latter half of this year.

If you’re a gamer looking to get your battle royale on via Android, and especially if you’re a parent whose kids are obsessed with the game, take extra care to make sure you don’t become a victim of Epic Games’ short-sighted lack of concern.

Michael Crider has been covering technology on the web since 2011. His interests include folk music, football, science fiction, and salsa verde, in no particular order. He wrote a novel called Good Intentions: A Supervillain Story, and it's available on Amazon. You can follow him on Twitter if you want.