It seems that the concerns about Fortnite's safety were well founded – although that was not necessarily why anyone could have expected it. Epic Games has been criticized for its decision not to make Fortnite available through Google Play, which causes Google to display warnings to anyone who performs search for the game.
Now, a Google engineer has revealed that the first installer of Epic's installer had serious security vulnerabilities, endangering Android users. A post in Google Issue Tracker shows that the installer could be misused to secretly download and install all apps with any level of permissions ̵
There is more than a little irony to the news of a security issue (which has now been patched) coming to light just after Epic Games transformed players to take more interest in the safety of their accounts. The vulnerability made use of the fact that instead of installing Fortnite directly, you must first download an installer that then downloads the necessary bits for you.
In order for the vulnerability to be exploited, a victim must have a properly developed maliciously crafted app installed on the phone, looks like this specific type of vulnerability. The way in which the original version of the Fortnite installer was encrypted meant that it was easy to blindly install any app that was told.
The problem is explained on the Google Issue Tracker website:
Fortnite APK (com. Epicgames.fortnite) is downloaded by Fortnite Installer (com.epicgames.portal) for remote storage:
dream2lte: / $ ls – already /sdcard/Android/data/com.epicgames.portal/files/downloads/fn. 4fe75bbc5a674f4f9b356b5c90567da5.Fortnite /
drwxrwx – x 2 u0_a288 sdcard_rw 4096 2018-08-15 14:38.
drwxrwx – x 3 u0_a288 sdcard_rw 4096 2018-08-15 14:38 ..
-rw-rw —- 1 u0_a288 sdcard_rw 75078149 2018-08-15 14:38 x1xlDRyBix-YbeDRrU2a8XPbT5ggIQ.apk
-rw-rw —- 1 u0_a288 sdcard_rw 31230 2018-08-15 14: 38 x1xlDRyBix-YbeDRrU2a8XPbT5ggIQ.manifest
Any app with the WRITE_EXTERNAL_STORAGE permission can replace APK immediately after the download is completed and the fingerpin rint is verified. This is done easily using a FileObserver. Fortnite Installer will continue to install the substituted (fake) APK.
On Samsung devices, Fortnite Installer performs the APK installation through a private Galaxy Apps API. This API checks that APK is installed has the package name com.epicgames.fortnite. Consequently, the fake APK with a corresponding package name can be installed quietly.
If the fake APK has a targetSdkVersion of 22 or lower, it will be given all permissions it requests at the time of installation. This vulnerability allows an app on your device to hijack Fortnite Installer to instead install a fake APK with any permissions that normally require user information.
Epic Games initially asked Google to keep calm about the vulnerability and demanded the industry standard 90-day enlightenment period to be observed. But Epic also rolled out a patch within 48 hours after he was notified of the problem so Google said, "Now, the patched version of Fortnite Installer has been available for 7 days and we will continue to unrestrict this issue in line with Google standardization practice. "
Image Credit: Rokas Tenys / Shutterstock