Epic blunder: Vulnerability in Fortnite installer allowed silent installation of fake APKs

It was back in April that Fortnite made its initial appearance on mobile devices, specifically on the iOS platform, after an invitation-only period. However, it only became available on Android devices earlier this month starting with a range of Samsung Galaxy devices, although Epic Games made the interesting decision to bypass the Google Play Store as a distributor to avoid paying the Mountain View company a 30% cut of in-app purchases.

Now, it has come to light that Google last week identified a potentially serious security flaw in the way Fortnite downloads and installs itself on Android devices. As documented on Google's Issue Tracker, an engineer by the name of Edward noted the following:

"Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK.

On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed."

In addition to the above, a malicious APK with a targetSdkVersion value of 22 or below then it will also be given all requested permissions during installation, so long as it was named "com.epicgames.fortnite".

The engineer was quick to point out that "use of a private internal storage directory rather than external storage would help avoid this vulnerability" which was subsequently implemented by Epic Games the following day according to a member of Epic's InfoSec team. A couple of hours later, the same member requested that Google provide "the full 90 days before disclosing this issue so our users have time to patch their devices" but the company declined that request in line with its standard disclosure practices, much to the chagrin of Epic Games CEO Tim Sweeney who commented that:

"Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable."

While the security issue has been plugged up, it does go to show that if a company attempts to go it alone with mobile app distribution then it really has to be on top of its game in order to mitigate and avoid such problems and embarrassments from occurring in the first instance.

Source: Android Central via TechCrunch

Report a problem with article
office-android-silhouette
Next Article

Microsoft Excel and PowerPoint now installed 500 million+ times on Android devices

1535144012_the_boring_company_logo
Previous Article

The Boring Company's “Dugout Loop” should be ready by 2020

18 Comments - Add comment

Advertisement