Epic Games’ popular shooter Fortnite has been out on Android for just a few weeks, and already there are concrete examples of some of the security fears brought about by the game’s unique distribution method. Google disclosed a vulnerability in the Fortnite Installer that could trick the installer into installing something other than Fortnite.
Fortnite is one of the rare Android apps that isn’t distributed on the Google Play Store. Epic, in an effort to avoid Google’s 30-percent cut of in-app purchases, is distributing the game itself on Android. Users who want Fortnite must go to Epic’s website and download an app called the “Fortnite Installer,” which will then download and install the Fortnite game and keep it up to date. This distribution method opens up users to a number of potential security risks. Getting the installer means users must allow “unknown sources” installation through the browser, and they have to make sure they’re actually downloading Fortnite from Epic Games and not just a website claiming to be Epic Games.
The Fortnite Installer was vulnerable to a “Man-in-the-disk” (MITD) attack. The installer, after downloading the game, could have the Android APK file swapped out with a malicious copy by a third-party app just before it was installed. The vulnerability only worked on Samsung devices—the “exclusive” launch OEM for Fortnite on Android. According to Google’s bug report, on Samsung phones, the Fortnite Installer used a “private Galaxy Apps API.” Samsung’s API stores the downloaded file in Android’s “external” storage, which is world readable, leading to the security problems. Google’s bug report even mentions that “Using a private internal storage directory rather than external storage would help avoid this vulnerability.”