Google discovered a security flaw in the Fortnite for Android installer that Epic Games released as its way to bypass the Google Play store. Earlier this month, Epic Games and Google had confirmed that the popular game will be skipping the Google Play and instead will be available via a client known as the Fortnite Installer. However, the installer was found to contain a dangerous security flaw that would enable hackers to install malicious apps into smartphones. Google wasted no time to point out this mistake, but Epic Games was also quick to respond to the issue by fixing the flaw.
To recall, Fortnite was made available on Samsung handsets on August 9 and the general availability was announced on August 11. On August 15, a Google security researcher discovered and reported a flaw. In its issue tracker, Google explained that Fortnite's Android Installer could allow attackers to install anything they want. In order to play Fortnite, players are required to first get the Fortnite Installer that then proceed to download the full application. The issue, however, was that the Fortnite Installer was found to be easily exploitable to hijack the request to download Fortnite from Epic and instead download malicious apps when users tap the button to download the game. This type of hack is known as the 'man in the disk' attack.
To further detail the vulnerability, Google also provided a proof-of-concept video of the attack on a Samsung smartphone. The video shows a user to be installing the Fortnite Installer from Galaxy Apps and then downloading what is thought to be Fortnite. After the completion of the process, the user is seen to be tapping on 'Launch', only to find a random app open.
Once complete, a user presses "Launch" - while still in the official Fortnite Installer (4th screenshot) - only to have the nefarious, just downloaded application open. This is made possible by Epic's Installer application only checking that the downloaded APK has a package name of com.epicgames.fortnite. This, according to Google, happens because the installer only checked that the name of the APK is called 'com.epicgames.fortnite' before installation. Notably, the app downloaded was shown to come with lots of extra permissions too.
However, Epic Games' developers quickly jumped on the issue to work on a fix and they deployed one soon. Version 2.1 of the Fortnite Installer that fixed the issue was rolled out on August 17. Epic InfoSec then requested Google to wait 90 days before publishing the information. However, Google published the flaw on August 24 itself, saying, "...now the patched version of Fortnite Installer has been available for 7 days we will proceed to 'unrestrict' this issue in line with Google's standard disclosure practices."
As a result, Epic CEO Todd Sweeney issued a statement to Android Central. While he thanked Google for the "in-depth security audit of Fortnite immediately following our release on Android," he also called the search giant to be "irresponsible" for publicly disclosing the technical details so quickly, even though "many installations had not yet been updated and were still vulnerable." Meanwhile, Google maintained that its decision to unrestrict the issue was in line with Google's standard disclosure practices.