Latest in Gear

Image credit: Jon Fingas/Engadget

Initial 'Fortnite' Android installer let hackers install malware

You wouldn't have even known malware was on your phone.
795 Shares
Share
Tweet
Share
Save
Jon Fingas/Engadget

When Epic said it would skip the Google Play Store with Fortnite's Android release, it raised eyebrows among security experts. Wasn't it creating risks by encouraging gamers (some of whom didn't understand the potential dangers) to install non-Store apps? Well, it did... although not quite in the way you might have expected. Epic Games has patched a Google-discovered vulnerability in Fortnite's original Android installer that would have let intruders download and install malware. The exploit used a man-in-the-disk attack that took advantage of Epic's initially flawed storage handling to intercept download requests and load nefarious content.

Attackers first had to trick you into installing an app designed to look for the flaw, which might not have been difficult when players could be hunting for cheats and "free V-Bux" apps. If present, the app hijacked the install process to grab its own code without even hinting that malware was coming. You didn't need to have Android's "install unknown sources" option enabled beyond when you downloaded the Fortnite installer, and Samsung device owners didn't even have to make that effort (since they downloaded through Samsung's own Galaxy Apps).

Epic told Android Central that it delivered the fix within 48 hours after receiving word from Google, and it's not clear that anyone took advantage of the security hole in the few days where it was present. The developer isn't happy with how Google addressed the situation, however. It accused Google of being "irresponsible" for publicly disclosing the flaw before many people had a chance to update their installers, and claimed Google "refused" to wait until more players had updated. That's not necessarily the case (Google appeared to have honored its disclosure policies), but it's reasonable to presume that some Fortnite fans hadn't been diligent in updating before the vulnerability was public knowledge.

From around the web

ear iconeye icontext filevr