The increasingly popular shooter game, Fortnite, is sparking security fears after Google announced the discovery of a vulnerability in the Fortnite Installer for Android, which could con the installer into installing an app other than Fortnite, without users’ knowledge.
And Google’s announcement has drawn the ire of Fortnite creator Epic Games.
In an effort to avoid the 30-percent commission Google takes on in-app purchases, Epic Games opted not to distribute Fortnite through the Google Play Store, making it one of only a handful of apps to be self-distributed on Android. Users must go to Epic Games’ website, download a Fortnite installer which both installs the game and keeps the app updated.
The vulnerability is a “Man-in-the-disk” (MITD) hack. After downloading the game, the installer could switch the Android APK file with a malicious third-party app, unbeknownst to users and the installer itself. The installed app could then give and receive any permissions without users’ knowledge, allowing the malware app to monitor everything the user does, from accessing the device’s microphone and camera to recording chats and phone calls.
Google notified Epic Games of the security flaw in the installer, and Epic provided a patch within 48 hours, requesting that Google not disclose the issue to the public for 90 days.
So Google’s public announcement on Aug. 15, which came a week after the patch was released, upset Epic Games because, CEO Tim Sweeney said, after just seven days the update had yet to reach many installations, leaving some devices still vulnerable to the attack.
Sweeney issued a statement saying:
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336.
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
To avoid becoming a victim yourself, make sure the Fortnite installer version you download for your Android device comes from Epic Games (not just a website claiming to be Epic Games, and is no older than v2.1.0. It is also recommended that you don’t download any non-Google Play Store apps.