Fortnite installer had a serious security flaw that Google just revealed
It seems that the concerns about Fortnite's security were well-founded -- although not necessarily for the reasons some people might have expected. Epic Games has been criticized for its decision not to make Fortnite available through Google Play, leading Google to show warnings to anyone conducting searches for the game.
Now a Google engineer just revealed that the first version of Epic's installer had a serious security vulnerability, placing Android users at risk. A post on Google's Issue Tracker shows that the installer could be abused to secretly download and install any app with any level of permissions -- a Man-in-the-Disk exploit.
- Boogiedown! Fornite is bribing players into enabling 2FA -- and that's a good thing
- Google Play shows warning to anyone searching for Fortnite APKs
- Samsung unveils Galaxy Note9 with exclusive Fortnite access, plus Galaxy Watch
- Fortnite for Android risks players' security by sidestepping Google Play
There's more than a slight irony to the news of a security issue (which has now been patched) coming to light just after Epic Games bribed gamers into taking more interest in the security of their accounts. The vulnerability took advantage of the fact that rather than just installing Fortnite directly, you first have to download an installer which then downloads the necessary bits for you.
In order for the security flaw to be exploited, a victim would have to have a suitably-crafted malicious app installed on their phone looking out for this specific type of vulnerability. The way the original version of the Fortnite installer was coded meant that it could be easily tricked into blindly installing any app it was told to.
The issue is explained on Google's Issue Tracker website:
The Fortnite APK (com.epicgames.fortnite) is downloaded by the Fortnite Installer (com.epicgames.portal) to external storage:
dream2lte:/ $ ls -al /sdcard/Android/data/com.epicgames.portal/files/downloads/fn.4fe75bbc5a674f4f9b356b5c90567da5.Fortnite/
drwxrwx--x 2 u0_a288 sdcard_rw 4096 2018-08-15 14:38 .
drwxrwx--x 3 u0_a288 sdcard_rw 4096 2018-08-15 14:38 ..
-rw-rw---- 1 u0_a288 sdcard_rw 75078149 2018-08-15 14:38 x1xlDRyBix-YbeDRrU2a8XPbT5ggIQ.apk
-rw-rw---- 1 u0_a288 sdcard_rw 31230 2018-08-15 14:38 x1xlDRyBix-YbeDRrU2a8XPbT5ggIQ.manifest
Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK.
On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed.
If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.
Epic Games initially asked Google to keep quiet about the vulnerability, calling for the industry standard 90-day disclosure period to be observed. But Epic also rolled out a patch within 48 hours of being notified of the problem so Google said: "now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google's standard disclosure practices".