A serious vulnerability has been disclosed in the Fortnite installer for Android phones. The vulnerability has since been patched but it allowed malware to use the Fortnite installer to install anything – including apps with full permissions – in the background.
The vulnerability worked because the installer did not include the game itself so any app with the WRITE_EXTERNAL_STORAGE permission could hijack the process using a “man in the disk” attack.
Man in the disk attacks rely on having the malware already on your phone when a vulnerability like this becomes available.
As Epic distributed the installer themselves instead of using the Google Play Store, they tried to sidestep the otherwise default behaviour of checking permissions of the app you’re installing. Meaning that any malicious apps installed would have the same permissions as Fortnite would have: camera, location, microphone, SMS, storage and phone.
Epic patched the installer within 48 hours of being notified. To be sure that you’re a secure version of the Fortnite installer make sure you are using version 2.10 or higher. If you have an earlier version make sure you update it before using it to install Fortnite.
Tim Sweeney, Epic CEO, posted on Twitter his displeasure with way Google handled the disclosure of the vulnerability.
Wouldn’t it be safer to disclose the technical details of vulnerabilities based on adoption rate of updates rather than mere availability?
Of course the PR about the existence of a vulnerability and importance of updating could go ahead without disclosing the technical details.
— Tim Sweeney (@TimSweeneyEpic) August 27, 2018
While the patch to remove the vulnerability is available, a low adoption rate could still expose some users to the attack if they do not update the installer.