When Epic Games announced that it wouldn’t be putting its world-dominating Fortnite Android game on the Google Play store, everyone knew Google wouldn’t be happy. Epic didn’t want to pay Google 30% of every purchase via the app, a move that could potentially cost Google $50 million. In fact, Google decided to take a very hard look at the installer Epic Games was using for Fortnite and it found a massive security flaw.
Google disclosed via the Google Issue Tracker that the first Fortnite Installer was vulnerable to hijacking by hackers. This vulnerability potentially allowed the installation of any app on a user’s phone and allowed the hacker to install anything in the background including apps with full permissions granted without the user knowing. Google disclosed the issue privately to Epic Games on August 15. The information released to the public is being disclosed now, ten days later, because Epic has patched the flaw.
The original installer app downloaded the Fortnite installer first, a simple app that would then download the full game directly from Epic. That installer was easily exploitable according, to Google, as hackers could hijack the request to download Fortnite from Epic to download anything when you tapped the “download game” button via a man-in-the-middle attack. The Epic downloader would not indicate that anything was amiss with this attack. If the installer downloaded a nefarious app rather than Fortnite for Android, it would launch the malware with a tap of the “launch” button.
However, to take advantage of the flaw in the Fortnite installer, a user would have had to have a malicious app on their device already that was looking for this sort of vulnerable software. With plenty of notice that Fortnite was coming to Android and the game’s massive popularity, there is a significant chance that apps were out there looking for this type of issue. Android permissions standard operating procedure means that you would not have been prompted to download an app from “unknown sources” because you had already agreed to that to install Fortnite.
Fortnite Android was a Samsung device exclusive for a short while, and all those downloads were made via the Galaxy Apps store. Reports indicate that folks who downloaded via Galaxy Apps had it worse than those grabbing the installer directly from Epic. When downloading via Galaxy Apps, users were never prompted the first time to allow downloads from “unknown sources” because Galaxy Apps is a known source. The big rub here is since it was a known source, anything you downloaded there would be given every permission possible without future consent, including any malicious software.
Epic notes that it fixed this exploit less than 48 hours after Google disclosed it. Users who installed before the patch need to update the installer as you would update other apps. The patched version of Fortnite installer is 2.1.0. Verification of the version is available in the Fortnite Installer settings menu. Google’s efforts here certainly protected Android users while simultaneously showing users that moves like the one Epic made to bypass the Google Store can sometimes take a turn for the worse.