Fortnite’s Android vulnerability leads to Google/Epic Games spat

Enlarge (credit: Epic Games)

Epic Games’ popular shooter Fortnite has been out on Android for just a few weeks, and already there are concrete examples of some of the security fears brought about by the game’s unique distribution method. Google disclosed a vulnerability in the Fortnite Installer that could trick the installer into installing something other than Fortnite.

Fortnite is one of the rare Android apps that isn’t distributed on the Google Play Store. Epic, in an effort to avoid Google’s 30-percent cut of in-app purchases, is distributing the game itself on Android. Users who want Fortnite must go to Epic’s website and download an app called the “Fortnite Installer,” which will then download and install the Fortnite game and keep it up to date. This distribution method opens up users to a number of potential security risks. Getting the installer means users must allow “unknown sources” installation through the browser, and they have to make sure they’re actually downloading Fortnite from Epic Games and not just a website claiming to be Epic Games.

The Fortnite Installer was vulnerable to a “Man-in-the-disk” (MITD) attack. The installer, after downloading the game, could have the Android APK file swapped out with a malicious copy by a third-party app just before it was installed. The vulnerability only worked on Samsung devices—the “exclusive” launch OEM for Fortnite on Android. According to Google’s bug report, on Samsung phones, the Fortnite Installer used a “private Galaxy Apps API.” Samsung’s API stores the downloaded file in Android’s “external” storage, which is world readable, leading to the security problems. Google’s bug report even mentions that “Using a private internal storage directory rather than external storage would help avoid this vulnerability.”

Read 5 remaining paragraphs | Comments

Post Author: martin

Martin is an enthusiastic programmer, a webdeveloper and a young entrepreneur. He is intereted into computers for a long time. In the age of 10 he has programmed his first website and since then he has been working on web technologies until now. He is the Founder and Editor-in-Chief of BriefNews.eu and PCHealthBoost.info Online Magazines. His colleagues appreciate him as a passionate workhorse, a fan of new technologies, an eternal optimist and a dreamer, but especially the soul of the team for whom he can do anything in the world.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.