In the weeks that led to Fortnite for the Android launch, we learned that Epic Games would not make the game available the traditional way to save 30% cuts Google would get for all the transactions in the game. At that time, we reported that it was wrong for the company to bypass the Google Play store with the launch, and remind you that sideloading apps are not advisable, even if they come from reputable sources.
And guess what? It turns out that we were entitled to be concerned about Epic's approach, as Google was quick to detect a vulnerability that would have allowed your device to install malicious apps without your explicit knowledge. From then on, the malware app could have spied on everything you should do.
Like Android Central reports, Google's security team detected the issue soon after the game was launched, and Epic patched it about 48 hours later. Google then published the vulnerability to the public; something epic was not so excited about.
Fortnite for the Android installation has two parts. You download an installer and you use that app to download the game. However, Google detected an error in the installer that would enable "man-in-disk attacks". As soon as you press the install button, a malware app on your phone will listen to and hijack the download to get another app. You do not want to know that it happens that you think you're getting the game. The installer would not understand that it is also downloaded otherwise.
As you may have noticed, you must already have a malware installed on your device. That does not mean that Epics security issue was not huge. Given the popularity of Fortnite, it's not surprising to see hackers trying to take advantage of Epic's greed.
Now, say the phone started installing a malware app. You would not be prompted to accept the installation because you already agreed to get apps from "unknown sources" when you started the entire process. On Samsung phones it's even worse because you get the game from the Galaxy Apps store, which is a known source.
The installed app will so quietly declare and receive any permission it will without your consent. With full permissions, a malware app can monitor everything you do, record all chat and conversations, and access location, microphone, and camera at any time. A proof of concept attack is available on this link.
Epic was not happy that Google did not wait 90 days to reveal the problem. Here's what CEO Tim Sweeney said in a statement:
Epic sincerely appreciated Google's efforts to perform a thorough security audit of Fortnite right after our release on Android and share the results with Epic so we could quickly perform a update to fix the error they discovered.
However, it was irresponsible for Google to publish the technical details of the error so quickly, while many installations were not updated and still vulnerable.
An epic security engineer urged me, asking Google to delay publication for the typical 90 days to allow the time of the update to be more widely installed. Google refused. You can read everything at https://issuetracker.google.com/issues/112630336.
Google's security analysis processes are valued and enjoyed the Android platform, but a company that is as powerful as Google should practice more responsible enlightenment than this and not disturb users during their promotion against the Epics distribution of Fortnite outside of Google Play.
So Google helped Epic fix its blunder, even though the app was not delivered via the Google Play store, and is it still epic that's unhappy? Of course, for Google, it may be more critical to keep Android users safe than earning money on Fortnite.
Also, Google's policies contain another resolution process for 0-day attacks like those in Fortnite:
When we observe a previously unknown and unmatched vulnerability in software under active exploitation (a "0day"), we believe that more urgent measures – within 7 days – is appropriate. The reason for this particular term is that everyday actively exploited vulnerability remains excluded for the public and unmatched, multiple devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but there should be enough time to publish advice about possible restrictions, such as temporary deactivation of a service, restriction of access or contact the vendor for more information. As a result of 7 days left without a patch or advisory, we will support researchers who make information available so that users can take steps to protect themselves.
What you should do to protect yourself is to make sure you have Fortnite install v2.1.0 installed on Android and avoid installing Google Play store apps. Well, except for Fortnite of course. As Google explained, you would need an actual malicious app on your phone to hijack your download.