Security researchers from Google have publicly disclosed an extremely serious security flaw in the first Fortnite installer for Android that could allow other apps installed on the targeted devices to manipulate installation process and load malware, instead of the Fortnite APK.
Earlier this month, Epic Games announced not to make its insanely popular game ‘Fortnite for Android’ available through the Google Play Store, but via its own app.
Many researchers warned the company that this approach could potentially put Android users at a greater risk, as downloading APKs outside of the Play Store is not recommended and requires users to disable some security features on Android devices as well.
And it seems like those fears and concerns were true.
Google developers discovered a dangerous security flaw as soon as the Fortnite game launched on Android.
Fortnite Android Installer Vulnerable to Man-in-the-Disk Attack
In a proof-of-concept video published by Google, researchers demonstrated that their attack takes advantage of a newly introduced “man-in-the-disk” (MitD) vector (detailed in our previous article).
In a nutshell, man-in-the-disk attacks allow malicious apps to manipulate the data of other apps held in the unprotected external storage before they read it, resulting in the installation of undesired apps instead of the legitimate update.
For those unaware, to install Fortnite on your Android phone, you first need to install a “helper” app (installer) that downloads Fortnite to your phone’s storage and installs it on your phone.
Google developers discovered that any app on your phone with the WRITE_EXTERNAL_STORAGE permission could intercept the installation and replace installation file with another malicious APK, including one with full permissions granted like access to your SMS, call history, GPS, or even camera—all without your knowledge.
“On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently, the fake APK with a matching package name can be silently installed,” Google researcher said.
“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.”
Patch Update for Fortnite for Android Installed
Since the first version of the Fortnite installer was exclusively launched on Samsung phones, the vulnerability only affected the Fortnite installer available through the Galaxy Apps store, and not the version made available for non-Samsung devices.
Google discovered and reported the vulnerability on 15 August to Epic Games, which confirmed its existence, and issued a patch within just 48 hours with the release of version 2.1.0 of the Fortnite installer.
However, besides thanking Google for sharing the bug details, Epic Games CEO Tim Sweeney also criticized researcher for publicly disclosing the vulnerability within 7 days rather than waiting 90 days.
“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney tweeted.
“But why the rapid public release of technical details? That does nothing but give hackers a chance to target unpatched users.”
For users’ part, Fortnite players are highly recommended to update their installer to the latest version 2.1.0. If you have already updated but are still worried about the impact, uninstall and reinstall Fortnite for Android and start again from scratch.
Since Epic Games has not released more information on this bug, it is unclear whether the flaw was actively exploited in the wild and how many people downloaded the flawed Android APK.