In the weeks leading to the Fortnite for Android launch, we learned that Epic Games didn’t want to make the game available the traditional way to save the 30% cut Google would get for all the in-game transactions. At the time, we told you it was wrong for the company to bypass the Google Play Store with the launch, and reminded you that sideloading apps isn’t advisable, even if they come from reputable sources.
And guess what? It turns out we were right to be concerned about Epic’s approach, as Google was quick to discover a security flaw that would have allowed your device to install any malicious apps without your explicit knowledge. From then on, the malware app could have spied on everything you’d be doing.
As Android Central reports, Google’s security team found the issue soon after the game was launched, and Epic patched it some 48 hours later. Google then disclosed the vulnerability to the public; something Epic wasn’t too thrilled about.
The Fortnite for Android install has two parts. You first download an installer, and then you use that app to download the game. However, Google discovered a flaw in the installer that would make “man-in-the-disk” attacks possible. As soon as you’d press that install button, a malware app on your phone would listen in and hijack the download to get a different app. You would not know it’s happening as you’d think you’re getting the game. The installer wouldn’t realize it’s downloading something else either.
As you may have noticed, you’d already have to have a malicious app installed on your device. That doesn’t mean Epic’s security issue wasn’t a massive one. Given the popularity of Fortnite, it’s not surprising to see hackers try to take advantage of Epic’s greed.
Now, say your phone did start the install of a malware app, you would not be prompted to accept the installation, because you had already agreed to get apps from “unknown sources” when you started the whole process. On Samsung phones is even worse, because you get the game from the Galaxy Apps store, which is a known source.
The installed app would then quietly declare and receive any permission it wants without your consent. With full permissions, a malware app could monitor everything you do, record all your chat and calls, and access your location, microphone, and camera at all times. A proof-of-concept attack is available at this link.
Epic wasn’t happy that Google didn’t wait for 90 days to disclose the issue. Here’s what CEO Tim Sweeney said in a statement:
Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336.
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.
So Google helped Epic fix its blunder even though the app wasn’t provided via the Google Play store, and it’s still Epic the one that’s unhappy? Of course, for Google, it may be more critical to keep Android users safe than to make money off of Fortnite.
Also, Google’s guidelines include a different resolution process for 0-day attacks like the ones in Fortnite:
When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action—within 7 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.
What you should do to protect yourself is to make sure you have Fortnite installer v2.1.0 installed on your Android, and keep avoiding installing non-Google Play store apps. Well, aside from Fortnite of course. As Google explained, you’d need an actual malicious app on your phone to hijack your download.