It’s barely been a month since Fortnite Battle Royale was released for Android, but it turns out that it’s already creating a security risk for users. To recall, Fortnite for Android was not released on the Google Play Store because the company wanted to avoid paying a commission to Google. Now, Google themselves have revealed that they discovered a very serious flax in the Fortnite Installer. The flaw would allow the installer to install any other app to a user’s phone without their knowledge. According to a report by Android Central, Google’s team of researchers first disclosed the vulnerability to Fortnite’s developer, Epic Games, in private on August 15. After receiving confirmation from Epic that the vulnerability was fixed, it released the information publically.
To install the game on Android, users have to install the Fortnite Installer first, which then installs the game. However, Google’s security researchers found that the Fortnite Installer could easily be exploited to hijack the download request. Hackers could redirect the download request to any other app that they wanted. This would occur without the user’s or even the installer’s knowledge. So when they tapped the ‘Download’ button, the installer could install something other than Fortnite. This is known as a ‘man-in-the-disk’ attack.
However, in order for this to happen, user’s would need to already have a malware that was looking to exploit such a vulnerability. However, given the popularity of the game, it’s quite likely the such apps would already be circulating the internet.
Thankfully, Epic Games is rolling out a fix for the flaw. Android Central reports that the fix is available with the version 2.1.0 of the installer. The fact that the game is available on a limited number of devices should also limit the spread of any malware if there are any.
The CEO of Epic Games, Tim Sweeney got in touch with Android Central with a statement which said:
“Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play.”
While Sweeney may be fuming at Google for disclosing the technical details of the flaw so quickly, the disclosure was in line with the company's policy for ‘0day’ exploit. For security vulnerabilities that the company believes that there is a previously unknown and unpatched vulnerability in software which could be actively exploited, it gives a time frame of just seven days before disclosing the flaw. While Google notes that this time frame may be too short for certain vendors, it feels that is enough time for the vendor to at least publish advice on possible mitigations like temporarily disabling service, restricting access and so forth.