Google finds flaw in Android Fortnite’ Installer leading to malware installation

Another day, another Fortnite malware vulnerability.

Epic Games’ decision of skipping Google Play Store and releasing Android Fortnite on its official website directly was perceived as an unwise move. We recently informed our readers about the salient repercussions of this decision. It definitely was risky for gamers as they would be encouraged to download from unreliable and fishy platforms. Already scammers were busy in designing fake versions of Epic Games website to lure Fortnite fans towards infected, malware-laden websites. Moreover, the step also promoted the installation of non-Store apps.

All these risks are now proving to be a reality for Epic Games. The company was informed by Google about a critical vulnerability in the game’s original Android installer for Samsung devices. This flaw could have let cybercriminals install malware using a Man-in-the-Disk (MiTD) attack.

The vulnerability was publicly disclosed by Google, and the company regarded it as a serious security flaw existing in the first Android Fortnite installer. The vulnerability allowed other apps installed on the device to load malware instead of Fortnite APK by intercepting the installation process.

We must not forget that downloading APKs from any source other than the official Play Store is quite risky because users are asked to disable some crucial security features on their devices. This leaves them exposed to different kinds of cyber-attacks including Man-in-the-Disk.

You probably already know that to install Fortnite for Android you need to install a Helper app, which then downloads the game to your device’s external storage and installs it. According to Google developers, any app having the WRITE_EXTERNAL_STORAGE permission can easily intercept the installation. This would lead to the installation of a malicious APK, which might already get full permissions including access to call history, SMS content, GPS, and camera, etc. The user will remain unaware of the entire feat.

This process, however, relied upon tricking a user into installing an app that is developed to scan for the flaw and then it hijacks the installation process even if you haven’t enabled Install Unknown Sources option on your phone.

Google published a proof-of-concept video in which the attack was demonstrated using the MiTD attack vector. It is worth noting that MiTD lets malicious apps manipulate other apps stored in the external storage by altering the data, which results in the installation of unrequired apps instead of the authentic update.

Epic Games fixed the flaw within 48 hours after being notified by Google. It is yet unclear whether the flaw was exploited by anyone during the time it was present. The company’s CEO Tim Sweeney has accused Google of being “Irresponsible” by disclosing the flaw publicly only in 7 days instead of waiting for 90 days. This, claims Sweeney, prevented many users from updating the installer.

Epic Games has released Fortnite for Android for Samsung mobile phones only, so, we can assume that the flaw might have affected the installer available through the Galaxy Apps Store. However, we suggest that you delete the current Fortnite installer and reinstall the game on your Android device just to be on the safe side.

Related Posts