After lots of rumors, Fortnite Mobile finally made its debut on Android earlier this month alongside the announcement of Samsung Galaxy Note9. However, for those unaware, Fortnite Mobile for Android isn’t available for download through Google Play Store. Instead, it’s distributed through the official website of Epic Games – developer and publisher of Fortnite Mobile. This gave rise to a lot of debates and fear surrounding the potential security risks, and, that fear has turned out to be true, as the very first Fortnite Installer for Android came with a major security flaw.
As Fortnite Mobile for Android isn’t available for download through the Play Store, users are required to download what’s called Fortnite Installer from Epic Games’ official website. This Installer then installs the game on your Android smartphone. However, a member of Google’s security team discovered a major security flaw in this installer that could allow silent installation of apps on Android devices, even when installation from unknown sources is forbidden.
The security flaw made the Installer vulnerable to Man-in-the-Disk attack that could allow other apps to download fake or malicious apps on your Android smartphone with you not even knowing about it. However, for this vulnerability to be exploited, you would need to already have an app installed on your smartphone that could download fake/malicious apps on your smartphone. Well, this could only be a problem for those who download not-so-legitimate apps from sources other than Google’s Play Store.
Here’s what Google’s engineer said while reporting the issue:
“On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed.
If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.“
Fortunately, this vulnerability was fixed by Epic Games within two days of being reported by Google by deploying a patched Fortnite Installer carrying version number 2.1.0. If you have Fortnite Installer 2.1.0 installed on your smartphone, you no longer have to worry about this vulnerability, but, if you don’t, then the best way to stay safe is to uninstall the Fortnite Installer and then download it again from Epic Games’ website.
Epic Games hasn’t revealed whether this vulnerability was exploited or not, but, the company CEO is definitely not happy with Google for disclosing this security flaw publicly within 90 days which is the standard time period for revealing an issue publicly. However, Google has a policy of disclosing security issues publicly after seven days from being fixed.
Here’s the entire statement from Tim Sweeney, CEO of Epic Games:
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.“
Well, we wouldn’t have had this kind of issues to deal with at first place if Epic Games had decided to distribute the game through Google Play Store instead of their own website. Having said that, Epic Games do really deserve a pat on their back for fixing this vulnerability within two days of being reported by Google.