Fortnite is THE game right now. Almost every gamer has heard of it and when it comes to Twitch you can normally find it amidst the top 3 games. It’s fun, it’s colorful, and it’s not only available for PC and console but now for Android as well.
Sounds great, right? Well, there is a small issue. Apparently, you cannot install the game itself via Google Play. While that would have been the logical way to do it, Epic Games decided to only provide an installer with which the game can then be downloaded later on. Sadly it apparently is pretty easy to hijack and exploit the installer.
“Man-in-the-disk” attack
Google researchers have discovered that the Fortnite installer only has some rudimentary security when it comes to what gets downloaded on the user’s phone. While it initially checks via checksum if the correct download is initiated, that’s all it does. Whether or not the real file gets installed is never verified.
The lax security makes the installer vulnerable for a so-called “Man-in-the disk” attack: A download is initiated via the app but the request is intercepted by some cybercriminals. Now, instead of really downloading the file you want, the installer goes on and puts a malicious one on the phone. Once on the mobile you probably install and launch it as well, without noticing that something is amiss until it’s too late; after all who would be suspicious of the official Fortnite app?
Not without being infected before
There is “good” news though. A man-in-the-disk attack cannot be launched without the phone being infected already. That means that a potential attacker would have to already have a malicious app installed on the phone that actually scans for vulnerabilities like this one – and that’s highly unlikely (albeit not impossible).
Google vs. Epic Games
Epic Games fixed the error as soon as they received word from Google about the vulnerability, so everyone downloading it from now on should be safe. If you have an old version of the Fortnite installer on your mobile you should consider updating it ASAP. If you have version 2.1.0 (or above) you should be fine.
Generally, that should have been it (and it is if you only want to stay safe!). But the story goes a bit further. Google noticed the issue mid-August and informed Epic Games who released a patch in less than a day. The Company’s CEO Tim Sweeney told Android Central that “an Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused.“ The issue was made public seven days later.
Why? One can only guess. Perhaps it has to do with Epic Games not wanting to have their game on the Google Play store directly. That way Google does not get a cut when it comes to microtransactions which – considering the popularity of Fortnite – is a lot of money.