Epic’s decision to bypass the Play Store and have users download an APK on the web was widely criticized from a security standpoint. That backlash was quickly proven to be warranted after Google discovered a flaw in the Fortnite install process. Fortunately, Epic Games was able to very quickly address the issue.
Google this evening fully detailed (via Android Central) the incident on its issue tracker. To play the hit game, users must first get the Fortnite Installer that then proceeds to download the full application.
However, a flaw with the Installer allowed a malicious app — that takes advantage of a man-in-the-disk attack and must already be present on the device (1st screenshot below) — to commandeer that assumed download of Fortnite to any other file on the web.
Google included a proof-of-concept video of the attack on a Samsung phone that demonstrates a user first installing the Fortnite Installer from Galaxy Apps and then proceeding to download what they think is Fortnite (2nd & 3rd screenshot).
Once complete, a user presses “Launch” — while still in the official Fortnite Installer (4th screenshot) — only to have the nefarious, just downloaded application open. This is made possible by Epic’s Installer application only checking that the downloaded APK has a package name of com.epicgames.fortnite.
If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.
Users on non-Samsung devices — after downloading what’s assumed to be Fortnite — still have to manually approve installation of the app via the default Android system prompt, including first granting the “Allow from this source” permission to the Fortnite Installer.
However, the malicious application wanting to be installed could just adopt Fortnite’s app name and icon (as seen in the 5th screenshot). For comparison, on Samsung devices, the install is immediate with no further user approval required.
A Google security researcher discovered and reported the flaw to Epic Games on August 15th. The app was made available to Samsung devices on August 9th and entered general Android availability on the 11th.
To Epics’ credit, version 2.1 of the Installer that fixed the issue was rolled out the very next day. The game developer requested that Google wait 90 days before disclosing the issue, but Google followed its well-known stringent policy of detailing the vulnerability as it had been seven days since the patch was made available.
When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action—within 7 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information.
This resulted in Epic CEO Todd Sweeney issuing a statement to Android Central that thanked Google for the “in-depth security audit of Fortnite immediately following our release on Android.” However, the game developer called Google “irresponsible” for disclosing the technical details so quickly while “many installations had not yet been updated and were still vulnerable.”
Sweeney goes on to claim that this is apparently part of “counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
Google commented to AC that “user security is our top priority” as showcased by the security review and quickly informing Epic. It also acknowledges on the Play Store that Fortnite is not available to discourage users from downloading nefarious apps that purport to be it.
FTC: We use income earning auto affiliate links. More.