Google Discovers Security Hole in Fortnite Android Installer

Credit: Epic GamesCredit: Epic GamesEpic Games finally launched Fortnite on Android in early August. People had been waiting for the game to reach Google's platform since it debuted on iOS devices in September 2017, and with the release of Samsung's latest Galaxy devices, that patience was rewarded. But nobody should have brought out the champagne yet, as Google quickly discovered and, over the weekend, publicly disclosed a vulnerability in the tool used to install the game.

The problem starts with the fact that Fortniteisn't available through Google's official Play Store. Epic didn't want to split 30 percent of the revenues earned from the Android version of its almost-bafflingly popular game, and because Android doesn't have the same restrictions as iOS, Epic was able to cut Google out.

But the Play Store and App Store don't exist only because their parent companies want to make some extra money. They're also supposed to make sure people are only installing software from a trusted source that (ostensibly) verifies that an app is secure and non-malicious. When people install apps from alternative sources, they run a greater risk of being compromised.

Enter the vulnerability Google discovered on August 15 and publicly disclosed on August 25. An engineer at Google named Edward discovered that Epic's installer enabled "man-in-the-disk attacks" that could let hackers quietly install malware alongside Fortnite (you can learn more about man-in-the-disk attacks via an August 12 blog post from security software vendor Check Point). The malware could also be given permission to access data without requiring any user input.

Epic released a fix on August 16. The company requested that Google maintain its standard of waiting 90 days before publicly disclosing the vulnerability, however, so people would have a chance to update their devices.

Google decided not to wait. "As mentioned via email," Edward said, "now the patched version of Fortnite Installer has been available for seven days we will proceed to unrestrict this issue in line with Google's standard disclosure practices."

This led Epic founder Tim Sweeney to criticize Google in a tweet saying the company was "creating an unnecessary risk for Android users in order to score cheap PR points."

Publicly disclosing this vulnerability could make it seem like Epic should have simply distributed Fortnite via the Play Store. Several comments on the initial disclosure made since it was public confirm this; some people have criticized Epic for using its own installer. Even if that wasn't Google's intention, that's how a number of people are taking the news, and people who haven't updated remaining vulnerable just makes things worse.

This thread is closed for comments
9 comments
    Your comment
  • Dosflores
    "The problem starts with the fact that Fortnite isn't available through Google's official Play Store."

    No. The problem starts with the fact that microSD card access on Android isn't secure. External researchers found this, and were able to perform man-in-the-disk attacks on apps developed by Google. Google has now adopted the best practices given by those researchers, and told Epic Games to do it too.

    Don't try to make it look as though Google are the good ones. They didn't discover any security hole. They created an OS with a security hole which was discovered by a third party.
  • shrapnel_indie
    Quote:
    Epic released a fix on August 16. The company requested that Google maintain its standard of waiting 90 days before publicly disclosing the vulnerability, however, so people would have a chance to update their devices. Google decided not to wait. "As mentioned via email," Edward said, "now the patched version of Fortnite Installer has been available for seven days we will proceed to unrestrict this issue in line with Google's standard disclosure practices."


    Don't kid yourself. Google wanted to make an example of Epic. The threat may have been real, and now mitigated... but the fear of such issues makes for good pressure to push apps into the Google App store where, in addition to such added "security" Google DOES get a cut of the profits. It's easy to hide real intent behind the security issue because security is so important... and also take advantage of it for your own benefit. Google isn't a saint although they've tried to play the part. Remember that they've modified their internal mantra so it doesn't include not doing harm/wrong. Also, going by this, Google has changed their policy... or at least has a different one internally than what they tell others.
  • valeman2012
    330834 said:
    Quote:
    Epic released a fix on August 16. The company requested that Google maintain its standard of waiting 90 days before publicly disclosing the vulnerability, however, so people would have a chance to update their devices. Google decided not to wait. "As mentioned via email," Edward said, "now the patched version of Fortnite Installer has been available for seven days we will proceed to unrestrict this issue in line with Google's standard disclosure practices."
    Don't kid yourself. Google wanted to make an example of Epic. The threat may have been real, and now mitigated... but the fear of such issues makes for good pressure to push apps into the Google App store where, in addition to such added "security" Google DOES get a cut of the profits. It's easy to hide real intent behind the security issue because security is so important... and also take advantage of it for your own benefit. Google isn't a saint although they've tried to play the part. Remember that they've modified their internal mantra so it doesn't include not doing harm/wrong. Also, going by this, Google has changed their policy... or at least has a different one internally than what they tell others.


    Doesn`t matter. Fortnite wants to bully PUBG now? Now Fortnite/Epic Games want to bully Google by not going through the playstore.... Epic Game tries to prevent the public knowing that there a security flaw in their Mobile Game or else it will not able complete against PUBG Mobile..

    Now we know thhey dont really care about user security, how secured is the PC Version client?